aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorYoungbok Shin <youngb.shin@samsung.com>2015-12-01 15:03:27 -0800
committerChris Michael <cp.michael@samsung.com>2015-12-03 11:31:06 -0500
commit39e8f1824e4d0d9f1ae9a6ee96c32463fa814ace (patch)
tree1a3fe3213dbeccab3c7bd541c2f0c3b7c0b6cae6
parentedje: add mising closing brace and adjust indents and spacing in test edc (diff)
downloadefl-39e8f1824e4d0d9f1ae9a6ee96c32463fa814ace.tar.gz
evas: fix a NULL dereference issue in font.
Summary: eina_list_remove returns Eina_List pointer. It could be NULL if the last list item is removed. And the returned Eina_List pointer could be different from the given list. So, calling free for fdir->data after fdir's address is changed is dangerous. @fix Test Plan: Run expedite or test app with evas_font_path_append() API. Reviewers: stefan_schmidt, jpeg Reviewed By: jpeg Subscribers: stefan, jiin.moon, cedric, jpeg Differential Revision: https://phab.enlightenment.org/D3392 Signed-off-by: Cedric BAIL <cedric@osg.samsung.com>
-rw-r--r--src/lib/evas/canvas/evas_font_dir.c15
1 files changed, 7 insertions, 8 deletions
diff --git a/src/lib/evas/canvas/evas_font_dir.c b/src/lib/evas/canvas/evas_font_dir.c
index dc9ac2073e..b54e6c0f41 100644
--- a/src/lib/evas/canvas/evas_font_dir.c
+++ b/src/lib/evas/canvas/evas_font_dir.c
@@ -1122,7 +1122,7 @@ static Evas_Font_Dir *
object_text_font_cache_dir_add(char *dir)
{
Evas_Font_Dir *fd;
- char *tmp, *tmp2;
+ char *tmp, *tmp2, *file;
Eina_List *fdir;
Evas_Font *fn;
@@ -1183,9 +1183,9 @@ object_text_font_cache_dir_add(char *dir)
/* directoy listing */
fdir = evas_file_path_list(dir, "*.ttf", 0);
- while (fdir)
+ EINA_LIST_FREE(fdir, file)
{
- tmp = evas_file_path_join(dir, fdir->data);
+ tmp = evas_file_path_join(dir, file);
if (tmp)
{
fn = calloc(1, sizeof(Evas_Font));
@@ -1194,12 +1194,12 @@ object_text_font_cache_dir_add(char *dir)
char *p;
fn->type = 0;
- tmp2 = alloca(strlen(fdir->data) + 1);
- strcpy(tmp2, fdir->data);
+ tmp2 = alloca(strlen(file) + 1);
+ strcpy(tmp2, file);
p = strrchr(tmp2, '.');
if (p) *p = 0;
fn->simple.name = eina_stringshare_add(tmp2);
- tmp2 = evas_file_path_join(dir, fdir->data);
+ tmp2 = evas_file_path_join(dir, file);
if (tmp2)
{
fn->path = eina_stringshare_add(tmp2);
@@ -1209,8 +1209,7 @@ object_text_font_cache_dir_add(char *dir)
}
free(tmp);
}
- fdir = eina_list_remove(fdir, fdir->data);
- free(fdir->data);
+ free(file);
}
/* fonts.alias */