woohyun pushed a commit to branch efl-1.9. http://git.enlightenment.org/core/efl.git/commit/?id=7a0fb4977343c655eb30907587302767d1dd44d0
commit 7a0fb4977343c655eb30907587302767d1dd44d0 Author: WooHyun Jung <[email protected]> Date: Tue Mar 11 16:34:56 2014 +0900 evas: Replace EINA_LIST_FOREACH_SAFE to while statement. Clipees can be cleared before the loop is finished because evas_object_clip_unset calls smart function of clip_unset. So, if we use EINA_LIST_FOREACH_SAFE, invalid next list pointer can be kept and read after obj->clip.clipees is freed. Thanks to Davide Andreoli for reporting. @fix --- src/lib/evas/canvas/evas_object_main.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/src/lib/evas/canvas/evas_object_main.c b/src/lib/evas/canvas/evas_object_main.c index 637551a..9591a19 100644 --- a/src/lib/evas/canvas/evas_object_main.c +++ b/src/lib/evas/canvas/evas_object_main.c @@ -621,7 +621,6 @@ _destructor(Eo *eo_obj, void *_pd, va_list *list EINA_UNUSED) return; MAGIC_CHECK_END(); Evas_Object_Protected_Data *obj = _pd; - Evas_Object_Protected_Data *tmp; Evas_Object *proxy; Eina_List *l, *l2; @@ -654,8 +653,14 @@ _destructor(Eo *eo_obj, void *_pd, va_list *list EINA_UNUSED) goto end; } evas_object_grabs_cleanup(eo_obj, obj); - EINA_LIST_FOREACH_SAFE(obj->clip.clipees, l, l2, tmp) - evas_object_clip_unset(tmp->object); + /* "while" should be used for null check of obj->clip.clipees, + because evas_objct_clip_unset can set null to obj->clip.clipees */ + while (obj->clip.clipees) + { + Evas_Object_Protected_Data *tmp; + tmp = eina_list_data_get(obj->clip.clipees); + evas_object_clip_unset(tmp->object); + } EINA_LIST_FOREACH_SAFE(obj->proxy->proxies, l, l2, proxy) evas_object_image_source_unset(proxy); if (obj->cur->clipper) evas_object_clip_unset(eo_obj); --
