scalecache - handle possible use after free with sci still in list

the sci may still be in the list then we free it because sci->im is NULL .. it may always have been null. this should guard against that and fix it. @fix
2019-08-24 15:21:42 +01:00 · 2019-08-24 15:21:42 +01:00 · 443677c7f9
parent e7510f6770
commit 443677c7f9
1 changed files with 12 additions and 2 deletions
--- a/src/lib/evas/common/evas_image_scalecache.c
+++ b/src/lib/evas/common/evas_image_scalecache.c
@ -174,7 +174,7 @@ evas_common_rgba_image_scalecache_dirty(Image_Entry *ie)
     {
        Scaleitem *sci = im->cache.list->data;

-        im->cache.list = eina_list_remove(im->cache.list, sci);
+        im->cache.list = eina_list_remove_list(im->cache.list, im->cache.list);
        if ((sci->im) && (sci->im->cache_entry.references == 0))
          {
             SLKL(cache_lock);
@ -192,7 +192,17 @@ evas_common_rgba_image_scalecache_dirty(Image_Entry *ie)
          }

        if (!sci->im)
-          free(sci);
+          {
+             Eina_Inlist *il = (Eina_Inlist *)sci;
+
+             if ((il->next) || (il->prev) || (il == cache_list))
+               {
+                  SLKL(cache_lock);
+                  cache_list = eina_inlist_remove(cache_list, (Eina_Inlist *)sci);
+                  SLKU(cache_lock);
+               }
+             free(sci);
+          }
     }
   eina_hash_free(im->cache.hash);
   im->cache.hash = NULL;