Eo: Fix deref after free.

In some rare cases it was possible for a pointer to be referenced after it was already freed. This is now fixed thanks to coverity. @fix CID 1039898
2014-05-16 14:27:39 +01:00 · 2014-05-16 14:27:39 +01:00 · 831c20464d
parent 9cfb050022
commit 831c20464d
1 changed files with 10 additions and 4 deletions
--- a/src/lib/eo/eo_base_class.c
+++ b/src/lib/eo/eo_base_class.c
@ -430,11 +430,10 @@ struct _Eo_Callback_Description
 static void
 _eo_callback_remove(Private_Data *pd, Eo_Callback_Description *cb)
 {
-   Eo_Callback_Description *itr, *pitr;
+   Eo_Callback_Description *itr, *pitr, *base;

-   itr = pitr = pd->callbacks;
-   if (pd->callbacks == cb)
-      pd->callbacks = cb->next;
+   base = itr = pd->callbacks;
+   pitr = NULL;

   for ( ; itr; )
     {
@ -447,6 +446,11 @@ _eo_callback_remove(Private_Data *pd, Eo_Callback_Description *cb)
               {
                  pitr->next = titr->next;
               }
+             else
+               {
+                  /* If pitr is NULL, it means we need to update base. */
+                  base = titr->next;
+               }
             free(titr);
          }
        else
@ -454,6 +458,8 @@ _eo_callback_remove(Private_Data *pd, Eo_Callback_Description *cb)
             pitr = titr;
          }
     }
+
+   pd->callbacks = base;
 }

 /* Actually remove, doesn't care about walking list, or delete_me */