edje - signal matcvhes - fix null deref when patterns is NULL
ok. i found this once-ever-seen thing where Edje_Signal_Callback_Matches has ALL fields NULL/0 except refcount was huge (like 13834275 or something like that). i can't see why at the moment, but defend against it to avoid crashes here by handling these being null
This commit is contained in:
parent
7b20430341
commit
761d6fa192
|
@ -1442,47 +1442,47 @@ _edje_emit_cb(Edje *ed, const char *sig, const char *src, Edje_Message_Signal_Da
|
||||||
ed->walking_callbacks++;
|
ed->walking_callbacks++;
|
||||||
|
|
||||||
ssp = _edje_signal_callback_patterns_ref(ed->callbacks);
|
ssp = _edje_signal_callback_patterns_ref(ed->callbacks);
|
||||||
|
if (ssp)
|
||||||
m = (Edje_Signal_Callback_Matches *)ed->callbacks->matches;
|
|
||||||
EINA_REFCOUNT_REF(m);
|
|
||||||
|
|
||||||
callback_extra_data = (data) ? data->data : NULL;
|
|
||||||
|
|
||||||
if (eina_inarray_count(&ssp->u.callbacks.globing))
|
|
||||||
r = edje_match_callback_exec(ssp,
|
|
||||||
m->matches,
|
|
||||||
sig,
|
|
||||||
src,
|
|
||||||
ed,
|
|
||||||
prop);
|
|
||||||
|
|
||||||
if (!r)
|
|
||||||
goto break_prog;
|
|
||||||
|
|
||||||
match = edje_match_signal_source_hash_get(sig, src,
|
|
||||||
ssp->exact_match);
|
|
||||||
if (match)
|
|
||||||
{
|
{
|
||||||
const Edje_Signal_Callback_Match *cb;
|
m = (Edje_Signal_Callback_Matches *)ed->callbacks->matches;
|
||||||
unsigned int *i;
|
EINA_REFCOUNT_REF(m);
|
||||||
|
|
||||||
EINA_INARRAY_FOREACH(match, i)
|
callback_extra_data = (data) ? data->data : NULL;
|
||||||
{
|
|
||||||
if (ed->callbacks->flags[*i].delete_me) continue;
|
|
||||||
if ((prop) && (ed->callbacks->flags[*i].propagate)) continue;
|
|
||||||
|
|
||||||
cb = &m->matches[*i];
|
if (eina_inarray_count(&ssp->u.callbacks.globing))
|
||||||
|
r = edje_match_callback_exec(ssp,
|
||||||
|
m->matches,
|
||||||
|
sig,
|
||||||
|
src,
|
||||||
|
ed,
|
||||||
|
prop);
|
||||||
|
|
||||||
cb->func((void *)ed->callbacks->custom_data[*i], ed->obj, sig, src);
|
if (!r) goto break_prog;
|
||||||
if (_edje_block_break(ed))
|
|
||||||
break;
|
match = edje_match_signal_source_hash_get(sig, src,
|
||||||
}
|
ssp->exact_match);
|
||||||
}
|
if (match)
|
||||||
|
{
|
||||||
|
const Edje_Signal_Callback_Match *cb;
|
||||||
|
unsigned int *i;
|
||||||
|
|
||||||
|
EINA_INARRAY_FOREACH(match, i)
|
||||||
|
{
|
||||||
|
if (ed->callbacks->flags[*i].delete_me) continue;
|
||||||
|
if ((prop) && (ed->callbacks->flags[*i].propagate)) continue;
|
||||||
|
|
||||||
|
cb = &m->matches[*i];
|
||||||
|
|
||||||
|
cb->func((void *)ed->callbacks->custom_data[*i], ed->obj, sig, src);
|
||||||
|
if (_edje_block_break(ed)) break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
break_prog:
|
break_prog:
|
||||||
_edje_signal_callback_matches_unref(m);
|
_edje_signal_callback_matches_unref(m);
|
||||||
|
|
||||||
_edje_signal_callback_patterns_unref(ssp);
|
_edje_signal_callback_patterns_unref(ssp);
|
||||||
|
}
|
||||||
|
|
||||||
ed->walking_callbacks--;
|
ed->walking_callbacks--;
|
||||||
|
|
||||||
|
|
|
@ -406,8 +406,7 @@ _edje_signal_callback_patterns_ref(const Edje_Signal_Callback_Group *gp)
|
||||||
|
|
||||||
got_it:
|
got_it:
|
||||||
tmp = (Edje_Signal_Callback_Matches *)gp->matches;
|
tmp = (Edje_Signal_Callback_Matches *)gp->matches;
|
||||||
|
if (tmp->patterns) EINA_REFCOUNT_REF(tmp->patterns);
|
||||||
EINA_REFCOUNT_REF(tmp->patterns);
|
|
||||||
return gp->matches->patterns;
|
return gp->matches->patterns;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue