[EGIT] [core/efl] master 01/01: evas: fix a NULL dereference issue in font.

Tue, 01 Dec 2015 15:23:45 -0800 

cedric pushed a commit to branch master.

http://git.enlightenment.org/core/efl.git/commit/?id=917fdbd59706145ea37eae59a6a47f7b9d1e7ff3

commit 917fdbd59706145ea37eae59a6a47f7b9d1e7ff3
Author: Youngbok Shin <youngb.s...@samsung.com>
Date:   Tue Dec 1 15:03:27 2015 -0800

    evas: fix a NULL dereference issue in font.
    
    Summary:
    eina_list_remove returns Eina_List pointer.
    It could be NULL if the last list item is removed.
    And the returned Eina_List pointer could be different from the given list.
    So, calling free for fdir->data after fdir's address is changed is 
dangerous.
    @fix
    
    Test Plan: Run expedite or test app with evas_font_path_append() API.
    
    Reviewers: stefan_schmidt, jpeg
    
    Reviewed By: jpeg
    
    Subscribers: stefan, jiin.moon, cedric, jpeg
    
    Differential Revision: https://phab.enlightenment.org/D3392
    
    Signed-off-by: Cedric BAIL <ced...@osg.samsung.com>
---
 src/lib/evas/canvas/evas_font_dir.c | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

diff --git a/src/lib/evas/canvas/evas_font_dir.c 
b/src/lib/evas/canvas/evas_font_dir.c
index dc9ac20..b54e6c0 100644
--- a/src/lib/evas/canvas/evas_font_dir.c
+++ b/src/lib/evas/canvas/evas_font_dir.c
@@ -1122,7 +1122,7 @@ static Evas_Font_Dir *
 object_text_font_cache_dir_add(char *dir)
 {
    Evas_Font_Dir *fd;
-   char *tmp, *tmp2;
+   char *tmp, *tmp2, *file;
    Eina_List *fdir;
    Evas_Font *fn;
 
@@ -1183,9 +1183,9 @@ object_text_font_cache_dir_add(char *dir)
 
    /* directoy listing */
    fdir = evas_file_path_list(dir, "*.ttf", 0);
-   while (fdir)
+   EINA_LIST_FREE(fdir, file)
      {
-       tmp = evas_file_path_join(dir, fdir->data);
+       tmp = evas_file_path_join(dir, file);
        if (tmp)
          {
             fn = calloc(1, sizeof(Evas_Font));
@@ -1194,12 +1194,12 @@ object_text_font_cache_dir_add(char *dir)
                  char *p;
 
                  fn->type = 0;
-                 tmp2 = alloca(strlen(fdir->data) + 1);
-                 strcpy(tmp2, fdir->data);
+                 tmp2 = alloca(strlen(file) + 1);
+                 strcpy(tmp2, file);
                  p = strrchr(tmp2, '.');
                  if (p) *p = 0;
                  fn->simple.name = eina_stringshare_add(tmp2);
-                 tmp2 = evas_file_path_join(dir, fdir->data);
+                 tmp2 = evas_file_path_join(dir, file);
                  if (tmp2)
                    {
                       fn->path = eina_stringshare_add(tmp2);
@@ -1209,8 +1209,7 @@ object_text_font_cache_dir_add(char *dir)
               }
             free(tmp);
          }
-       fdir = eina_list_remove(fdir, fdir->data);
-       free(fdir->data);
+       free(file);
      }
 
    /* fonts.alias */

--

Reply via email to