From 12655becaa8abfa81029f325a9b2e02f70ddd368 Mon Sep 17 00:00:00 2001 From: Mike Blumenkrantz Date: Fri, 10 Feb 2017 17:23:43 -0500 Subject: [PATCH] ref clients during exe_inst deletion to avoid invalid access after free in the case where clients are deleted during the same loop that they are added to an exe_inst, the client will be destroyed before the instance's delete event returns ref T4963 --- src/bin/e_client.c | 7 ++++--- src/bin/e_exec.c | 2 ++ 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/src/bin/e_client.c b/src/bin/e_client.c index df194973c..8fbb206e3 100644 --- a/src/bin/e_client.c +++ b/src/bin/e_client.c @@ -618,11 +618,12 @@ _e_client_del(E_Client *ec) else { if (!ec->exe_inst->deleted) - ec->exe_inst->clients = eina_list_remove(ec->exe_inst->clients, ec); + { + ec->exe_inst->clients = eina_list_remove(ec->exe_inst->clients, ec); + ec->exe_inst = NULL; + } } } - if (ec->exe_inst && (!ec->exe_inst->deleted)) - ec->exe_inst = NULL; _e_client_mouse_action_end(ec); if (action_client == ec) _e_client_action_finish(); diff --git a/src/bin/e_exec.c b/src/bin/e_exec.c index e157163f8..7bfcc36ce 100644 --- a/src/bin/e_exec.c +++ b/src/bin/e_exec.c @@ -612,6 +612,7 @@ _e_exec_instance_free(E_Exec_Instance *inst) { inst->deleted = 1; inst->ref++; + E_LIST_FOREACH(inst->clients, e_object_ref); ecore_event_add(E_EVENT_EXEC_DEL, inst, _e_exec_cb_exec_del_free, inst); return EINA_FALSE; } @@ -622,6 +623,7 @@ _e_exec_instance_free(E_Exec_Instance *inst) EINA_LIST_FREE(inst->clients, ec) { ec->exe_inst = NULL; + e_object_unref(E_OBJECT(ec)); } if (inst->desktop) efreet_desktop_free(inst->desktop); if (!inst->phony)