From 2791c3dc06bc1fc8f4460df9056724102d0c7c66 Mon Sep 17 00:00:00 2001 From: WooHyun Jung Date: Tue, 11 Mar 2014 16:34:56 +0900 Subject: [PATCH] evas: Replace EINA_LIST_FOREACH_SAFE to while statement. Clipees can be cleared before the loop is finished because evas_object_clip_unset calls smart function of clip_unset. So, if we use EINA_LIST_FOREACH_SAFE, invalid next list pointer can be kept and read after obj->clip.clipees is freed. Thanks to Davide Andreoli for reporting. @fix --- src/lib/evas/canvas/evas_object_main.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/src/lib/evas/canvas/evas_object_main.c b/src/lib/evas/canvas/evas_object_main.c index ff679cbbb9..cc6c59c2d4 100644 --- a/src/lib/evas/canvas/evas_object_main.c +++ b/src/lib/evas/canvas/evas_object_main.c @@ -621,7 +621,6 @@ _destructor(Eo *eo_obj, void *_pd, va_list *list EINA_UNUSED) return; MAGIC_CHECK_END(); Evas_Object_Protected_Data *obj = _pd; - Evas_Object_Protected_Data *tmp; Evas_Object *proxy; Eina_List *l, *l2; @@ -654,8 +653,14 @@ _destructor(Eo *eo_obj, void *_pd, va_list *list EINA_UNUSED) goto end; } evas_object_grabs_cleanup(eo_obj, obj); - EINA_LIST_FOREACH_SAFE(obj->clip.clipees, l, l2, tmp) - evas_object_clip_unset(tmp->object); + /* "while" should be used for null check of obj->clip.clipees, + because evas_objct_clip_unset can set null to obj->clip.clipees */ + while (obj->clip.clipees) + { + Evas_Object_Protected_Data *tmp; + tmp = eina_list_data_get(obj->clip.clipees); + evas_object_clip_unset(tmp->object); + } EINA_LIST_FOREACH_SAFE(obj->proxy->proxies, l, l2, proxy) { if (eo_isa(proxy, EVAS_OBJ_IMAGE_CLASS))