raster pushed a commit to branch master.
http://git.enlightenment.org/core/efl.git/commit/?id=761d6fa192b3912ef2ae787d955f605e4e657536
commit 761d6fa192b3912ef2ae787d955f605e4e657536
Author: Carsten Haitzler (Rasterman) <ras...@rasterman.com>
Date: Sun Aug 9 10:29:28 2015 +0900
edje - signal matcvhes - fix null deref when patterns is NULL
ok. i found this once-ever-seen thing where
Edje_Signal_Callback_Matches has ALL fields NULL/0 except refcount was
huge (like 13834275 or something like that). i can't see why at the
moment, but defend against it to avoid crashes here by handling these
being null
---
src/lib/edje/edje_program.c | 62 ++++++++++++++++++++++-----------------------
src/lib/edje/edje_signal.c | 3 +--
2 files changed, 32 insertions(+), 33 deletions(-)
diff --git a/src/lib/edje/edje_program.c b/src/lib/edje/edje_program.c
index bf719a0..0c97e21 100644
--- a/src/lib/edje/edje_program.c
+++ b/src/lib/edje/edje_program.c
@@ -1442,47 +1442,47 @@ _edje_emit_cb(Edje *ed, const char *sig, const char
*src, Edje_Message_Signal_Da
ed->walking_callbacks++;
ssp = _edje_signal_callback_patterns_ref(ed->callbacks);
+ if (ssp)
+ {
+ m = (Edje_Signal_Callback_Matches *)ed->callbacks->matches;
+ EINA_REFCOUNT_REF(m);
- m = (Edje_Signal_Callback_Matches *)ed->callbacks->matches;
- EINA_REFCOUNT_REF(m);
-
- callback_extra_data = (data) ? data->data : NULL;
+ callback_extra_data = (data) ? data->data : NULL;
- if (eina_inarray_count(&ssp->u.callbacks.globing))
- r = edje_match_callback_exec(ssp,
- m->matches,
- sig,
- src,
- ed,
- prop);
+ if (eina_inarray_count(&ssp->u.callbacks.globing))
+ r = edje_match_callback_exec(ssp,
+ m->matches,
+ sig,
+ src,
+ ed,
+ prop);
- if (!r)
- goto break_prog;
+ if (!r) goto break_prog;
- match = edje_match_signal_source_hash_get(sig, src,
- ssp->exact_match);
- if (match)
- {
- const Edje_Signal_Callback_Match *cb;
- unsigned int *i;
+ match = edje_match_signal_source_hash_get(sig, src,
+ ssp->exact_match);
+ if (match)
+ {
+ const Edje_Signal_Callback_Match *cb;
+ unsigned int *i;
- EINA_INARRAY_FOREACH(match, i)
- {
- if (ed->callbacks->flags[*i].delete_me) continue;
- if ((prop) && (ed->callbacks->flags[*i].propagate)) continue;
+ EINA_INARRAY_FOREACH(match, i)
+ {
+ if (ed->callbacks->flags[*i].delete_me) continue;
+ if ((prop) && (ed->callbacks->flags[*i].propagate)) continue;
- cb = &m->matches[*i];
+ cb = &m->matches[*i];
- cb->func((void *)ed->callbacks->custom_data[*i], ed->obj, sig, src);
- if (_edje_block_break(ed))
- break;
- }
- }
+ cb->func((void *)ed->callbacks->custom_data[*i], ed->obj,
sig, src);
+ if (_edje_block_break(ed)) break;
+ }
+ }
break_prog:
- _edje_signal_callback_matches_unref(m);
+ _edje_signal_callback_matches_unref(m);
- _edje_signal_callback_patterns_unref(ssp);
+ _edje_signal_callback_patterns_unref(ssp);
+ }
ed->walking_callbacks--;
diff --git a/src/lib/edje/edje_signal.c b/src/lib/edje/edje_signal.c
index e92787f..ccefc7f 100644
--- a/src/lib/edje/edje_signal.c
+++ b/src/lib/edje/edje_signal.c
@@ -406,8 +406,7 @@ _edje_signal_callback_patterns_ref(const
Edje_Signal_Callback_Group *gp)
got_it:
tmp = (Edje_Signal_Callback_Matches *)gp->matches;
-
- EINA_REFCOUNT_REF(tmp->patterns);
+ if (tmp->patterns) EINA_REFCOUNT_REF(tmp->patterns);
return gp->matches->patterns;
}
--
