summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorYoungbok Shin <youngb.shin@samsung.com>2015-12-01 15:03:27 -0800
committerChris Michael <cp.michael@samsung.com>2015-12-03 11:31:06 -0500
commit39e8f1824e4d0d9f1ae9a6ee96c32463fa814ace (patch)
tree1a3fe3213dbeccab3c7bd541c2f0c3b7c0b6cae6
parent8c3af8ef193c6c823f0cc0ca073411d1b943dfb4 (diff)
evas: fix a NULL dereference issue in font.
Summary: eina_list_remove returns Eina_List pointer. It could be NULL if the last list item is removed. And the returned Eina_List pointer could be different from the given list. So, calling free for fdir->data after fdir's address is changed is dangerous. @fix Test Plan: Run expedite or test app with evas_font_path_append() API. Reviewers: stefan_schmidt, jpeg Reviewed By: jpeg Subscribers: stefan, jiin.moon, cedric, jpeg Differential Revision: https://phab.enlightenment.org/D3392 Signed-off-by: Cedric BAIL <cedric@osg.samsung.com>
-rw-r--r--src/lib/evas/canvas/evas_font_dir.c15
1 files changed, 7 insertions, 8 deletions
diff --git a/src/lib/evas/canvas/evas_font_dir.c b/src/lib/evas/canvas/evas_font_dir.c
index dc9ac2073e..b54e6c0f41 100644
--- a/src/lib/evas/canvas/evas_font_dir.c
+++ b/src/lib/evas/canvas/evas_font_dir.c
@@ -1122,7 +1122,7 @@ static Evas_Font_Dir *
1122object_text_font_cache_dir_add(char *dir) 1122object_text_font_cache_dir_add(char *dir)
1123{ 1123{
1124 Evas_Font_Dir *fd; 1124 Evas_Font_Dir *fd;
1125 char *tmp, *tmp2; 1125 char *tmp, *tmp2, *file;
1126 Eina_List *fdir; 1126 Eina_List *fdir;
1127 Evas_Font *fn; 1127 Evas_Font *fn;
1128 1128
@@ -1183,9 +1183,9 @@ object_text_font_cache_dir_add(char *dir)
1183 1183
1184 /* directoy listing */ 1184 /* directoy listing */
1185 fdir = evas_file_path_list(dir, "*.ttf", 0); 1185 fdir = evas_file_path_list(dir, "*.ttf", 0);
1186 while (fdir) 1186 EINA_LIST_FREE(fdir, file)
1187 { 1187 {
1188 tmp = evas_file_path_join(dir, fdir->data); 1188 tmp = evas_file_path_join(dir, file);
1189 if (tmp) 1189 if (tmp)
1190 { 1190 {
1191 fn = calloc(1, sizeof(Evas_Font)); 1191 fn = calloc(1, sizeof(Evas_Font));
@@ -1194,12 +1194,12 @@ object_text_font_cache_dir_add(char *dir)
1194 char *p; 1194 char *p;
1195 1195
1196 fn->type = 0; 1196 fn->type = 0;
1197 tmp2 = alloca(strlen(fdir->data) + 1); 1197 tmp2 = alloca(strlen(file) + 1);
1198 strcpy(tmp2, fdir->data); 1198 strcpy(tmp2, file);
1199 p = strrchr(tmp2, '.'); 1199 p = strrchr(tmp2, '.');
1200 if (p) *p = 0; 1200 if (p) *p = 0;
1201 fn->simple.name = eina_stringshare_add(tmp2); 1201 fn->simple.name = eina_stringshare_add(tmp2);
1202 tmp2 = evas_file_path_join(dir, fdir->data); 1202 tmp2 = evas_file_path_join(dir, file);
1203 if (tmp2) 1203 if (tmp2)
1204 { 1204 {
1205 fn->path = eina_stringshare_add(tmp2); 1205 fn->path = eina_stringshare_add(tmp2);
@@ -1209,8 +1209,7 @@ object_text_font_cache_dir_add(char *dir)
1209 } 1209 }
1210 free(tmp); 1210 free(tmp);
1211 } 1211 }
1212 fdir = eina_list_remove(fdir, fdir->data); 1212 free(file);
1213 free(fdir->data);
1214 } 1213 }
1215 1214
1216 /* fonts.alias */ 1215 /* fonts.alias */