summaryrefslogtreecommitdiff
path: root/src/lib/evas/common/evas_image_scalecache.c
diff options
context:
space:
mode:
authorCarsten Haitzler (Rasterman) <raster@rasterman.com>2019-08-24 15:21:42 +0100
committerCarsten Haitzler (Rasterman) <raster@rasterman.com>2019-08-24 15:21:42 +0100
commit443677c7f961032c37dc8b408db95e5655eb6b63 (patch)
tree7ce9e40f050a53b30925038e682a1c694d777a26 /src/lib/evas/common/evas_image_scalecache.c
parente7510f67700edb24fa1f3ba87dee09729a810d40 (diff)
scalecache - handle possible use after free with sci still in list
the sci may still be in the list then we free it because sci->im is NULL .. it may always have been null. this should guard against that and fix it. @fix
Diffstat (limited to '')
-rw-r--r--src/lib/evas/common/evas_image_scalecache.c14
1 files changed, 12 insertions, 2 deletions
diff --git a/src/lib/evas/common/evas_image_scalecache.c b/src/lib/evas/common/evas_image_scalecache.c
index 5ca64b1897..ab390a1621 100644
--- a/src/lib/evas/common/evas_image_scalecache.c
+++ b/src/lib/evas/common/evas_image_scalecache.c
@@ -174,7 +174,7 @@ evas_common_rgba_image_scalecache_dirty(Image_Entry *ie)
174 { 174 {
175 Scaleitem *sci = im->cache.list->data; 175 Scaleitem *sci = im->cache.list->data;
176 176
177 im->cache.list = eina_list_remove(im->cache.list, sci); 177 im->cache.list = eina_list_remove_list(im->cache.list, im->cache.list);
178 if ((sci->im) && (sci->im->cache_entry.references == 0)) 178 if ((sci->im) && (sci->im->cache_entry.references == 0))
179 { 179 {
180 SLKL(cache_lock); 180 SLKL(cache_lock);
@@ -192,7 +192,17 @@ evas_common_rgba_image_scalecache_dirty(Image_Entry *ie)
192 } 192 }
193 193
194 if (!sci->im) 194 if (!sci->im)
195 free(sci); 195 {
196 Eina_Inlist *il = (Eina_Inlist *)sci;
197
198 if ((il->next) || (il->prev) || (il == cache_list))
199 {
200 SLKL(cache_lock);
201 cache_list = eina_inlist_remove(cache_list, (Eina_Inlist *)sci);
202 SLKU(cache_lock);
203 }
204 free(sci);
205 }
196 } 206 }
197 eina_hash_free(im->cache.hash); 207 eina_hash_free(im->cache.hash);
198 im->cache.hash = NULL; 208 im->cache.hash = NULL;