[EGIT] [core/enlightenment] enlightenment-0.21 09/44: ref clients during exe_inst deletion to avoid invalid access after free

Fri, 24 Feb 2017 11:50:44 -0800 

discomfitor pushed a commit to branch enlightenment-0.21.

http://git.enlightenment.org/core/enlightenment.git/commit/?id=b005919ea9504b24f20334905a07874ef2034e8d

commit b005919ea9504b24f20334905a07874ef2034e8d
Author: Mike Blumenkrantz <[email protected]>
Date:   Fri Feb 10 17:23:43 2017 -0500

    ref clients during exe_inst deletion to avoid invalid access after free
    
    in the case where clients are deleted during the same loop that they are
    added to an exe_inst, the client will be destroyed before the instance's
    delete event returns
    
    ref T4963
---
 src/bin/e_client.c | 7 ++++---
 src/bin/e_exec.c   | 2 ++
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/src/bin/e_client.c b/src/bin/e_client.c
index ed26b88..568d343 100644
--- a/src/bin/e_client.c
+++ b/src/bin/e_client.c
@@ -592,11 +592,12 @@ _e_client_del(E_Client *ec)
         else
           {
              if (!ec->exe_inst->deleted)
-               ec->exe_inst->clients = eina_list_remove(ec->exe_inst->clients, 
ec);
+               {
+                  ec->exe_inst->clients = 
eina_list_remove(ec->exe_inst->clients, ec);
+                  ec->exe_inst = NULL;
+               }
           }
      }
-   if (ec->exe_inst && (!ec->exe_inst->deleted))
-     ec->exe_inst = NULL;
 
    _e_client_mouse_action_end(ec);
    if (action_client == ec) _e_client_action_finish();
diff --git a/src/bin/e_exec.c b/src/bin/e_exec.c
index 702ede4..200fe1c 100644
--- a/src/bin/e_exec.c
+++ b/src/bin/e_exec.c
@@ -612,6 +612,7 @@ _e_exec_instance_free(E_Exec_Instance *inst)
      {
         inst->deleted = 1;
         inst->ref++;
+        E_LIST_FOREACH(inst->clients, e_object_ref);
         ecore_event_add(E_EVENT_EXEC_DEL, inst, _e_exec_cb_exec_del_free, 
inst);
         return EINA_FALSE;
      }
@@ -622,6 +623,7 @@ _e_exec_instance_free(E_Exec_Instance *inst)
    EINA_LIST_FREE(inst->clients, ec)
      {
         ec->exe_inst = NULL;
+        e_object_unref(E_OBJECT(ec));
      }
    if (inst->desktop) efreet_desktop_free(inst->desktop);
    if (!inst->phony)

--

Reply via email to