raster pushed a commit to branch master. http://git.enlightenment.org/core/efl.git/commit/?id=443677c7f961032c37dc8b408db95e5655eb6b63
commit 443677c7f961032c37dc8b408db95e5655eb6b63 Author: Carsten Haitzler (Rasterman) <[email protected]> Date: Sat Aug 24 15:21:42 2019 +0100 scalecache - handle possible use after free with sci still in list the sci may still be in the list then we free it because sci->im is NULL .. it may always have been null. this should guard against that and fix it. @fix --- src/lib/evas/common/evas_image_scalecache.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/src/lib/evas/common/evas_image_scalecache.c b/src/lib/evas/common/evas_image_scalecache.c index 5ca64b1897..ab390a1621 100644 --- a/src/lib/evas/common/evas_image_scalecache.c +++ b/src/lib/evas/common/evas_image_scalecache.c @@ -174,7 +174,7 @@ evas_common_rgba_image_scalecache_dirty(Image_Entry *ie) { Scaleitem *sci = im->cache.list->data; - im->cache.list = eina_list_remove(im->cache.list, sci); + im->cache.list = eina_list_remove_list(im->cache.list, im->cache.list); if ((sci->im) && (sci->im->cache_entry.references == 0)) { SLKL(cache_lock); @@ -192,7 +192,17 @@ evas_common_rgba_image_scalecache_dirty(Image_Entry *ie) } if (!sci->im) - free(sci); + { + Eina_Inlist *il = (Eina_Inlist *)sci; + + if ((il->next) || (il->prev) || (il == cache_list)) + { + SLKL(cache_lock); + cache_list = eina_inlist_remove(cache_list, (Eina_Inlist *)sci); + SLKU(cache_lock); + } + free(sci); + } } eina_hash_free(im->cache.hash); im->cache.hash = NULL; --
