From 4efaebfc702c83b128abefa5e4896e37838adedc Mon Sep 17 00:00:00 2001
From: WooHyun Jung <wh0705.jung@samsung.com>
Date: Fri, 13 Dec 2019 10:33:00 +0900
Subject: [PATCH] efl_ui_internal_text_interactive: prevent from freed memory
 accessing

If node_format_remove_pair frees node, then next for loop can lead
invalid memory accessing. This patch prevents from that case by keeping
the next node before freeing.
---
 .../elementary/efl_ui_internal_text_interactive.c  | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/src/lib/elementary/efl_ui_internal_text_interactive.c b/src/lib/elementary/efl_ui_internal_text_interactive.c
index 017f2a884b..a0bbba6469 100644
--- a/src/lib/elementary/efl_ui_internal_text_interactive.c
+++ b/src/lib/elementary/efl_ui_internal_text_interactive.c
@@ -158,21 +158,25 @@ Eina_Bool
 _entry_hide_visible_password(Eo *obj)
 {
    Eina_Bool b_ret = EINA_FALSE;
-   const Evas_Object_Textblock_Node_Format *node;
+   const Evas_Object_Textblock_Node_Format *node, *node_next;
    node = evas_textblock_node_format_first_get(obj);
-   for (; node; node = evas_textblock_node_format_next_get(node))
+
+   if (!node) return EINA_FALSE;
+
+   do
      {
+        node_next = evas_textblock_node_format_next_get(node);
         const char *text = evas_textblock_node_format_text_get(node);
         if (text)
           {
              if (!strcmp(text, "+ password=off"))
                {
-                  evas_textblock_node_format_remove_pair(obj,
-                                                         (Evas_Object_Textblock_Node_Format *)node);
+                  evas_textblock_node_format_remove_pair(obj, (Evas_Object_Textblock_Node_Format *)node);
                   b_ret = EINA_TRUE;
                }
           }
-     }
+        node = node_next;
+     } while (node);
 
    return b_ret;
 }