[Bf-blender-cvs] [7ef10de] master: Fix for heap-use-after-free happening in GHOST_EventManager.
Kévin Dietrich
noreply at git.blender.org
Mon Dec 28 00:36:04 CET 2015
Commit: 7ef10decdb609b6172f78a978b75454b3014b082
Author: Kévin Dietrich
Date: Mon Dec 28 00:35:27 2015 +0100
Branches: master
https://developer.blender.org/rB7ef10decdb609b6172f78a978b75454b3014b082
Fix for heap-use-after-free happening in GHOST_EventManager.
Issue was that dispatchEvent might call removeWindowEvents/
removeTypeEvents which will delete the event before we can do so.
To address this, handled events are now put in a separate list.
Reported by psy-fi and reviewed by brecht in IRC.
===================================================================
M intern/ghost/intern/GHOST_EventManager.cpp
M intern/ghost/intern/GHOST_EventManager.h
===================================================================
diff --git a/intern/ghost/intern/GHOST_EventManager.cpp b/intern/ghost/intern/GHOST_EventManager.cpp
index bef4b0e..bc531bd 100644
--- a/intern/ghost/intern/GHOST_EventManager.cpp
+++ b/intern/ghost/intern/GHOST_EventManager.cpp
@@ -106,11 +106,10 @@ void GHOST_EventManager::dispatchEvent(GHOST_IEvent *event)
void GHOST_EventManager::dispatchEvent()
{
GHOST_IEvent *event = m_events.back();
+ m_events.pop_back();
+ m_handled_events.push_back(event);
dispatchEvent(event);
-
- m_events.pop_back();
- delete event;
}
@@ -119,6 +118,8 @@ void GHOST_EventManager::dispatchEvents()
while (!m_events.empty()) {
dispatchEvent();
}
+
+ disposeEvents();
}
@@ -213,6 +214,12 @@ void GHOST_EventManager::removeTypeEvents(GHOST_TEventType type, GHOST_IWindow *
void GHOST_EventManager::disposeEvents()
{
+ while (m_handled_events.empty() == false) {
+ GHOST_ASSERT(m_handled_events[0], "invalid event");
+ delete m_handled_events[0];
+ m_handled_events.pop_front();
+ }
+
while (m_events.empty() == false) {
GHOST_ASSERT(m_events[0], "invalid event");
delete m_events[0];
diff --git a/intern/ghost/intern/GHOST_EventManager.h b/intern/ghost/intern/GHOST_EventManager.h
index 958fc5f..ae2971e 100644
--- a/intern/ghost/intern/GHOST_EventManager.h
+++ b/intern/ghost/intern/GHOST_EventManager.h
@@ -146,6 +146,7 @@ protected:
/** The event stack. */
std::deque<GHOST_IEvent *> m_events;
+ std::deque<GHOST_IEvent *> m_handled_events;
/** A vector with event consumers. */
typedef std::vector<GHOST_IEventConsumer *> TConsumerVector;
More information about the Bf-blender-cvs
mailing list