diff options
author | Kévin Dietrich <kevin.dietrich@mailoo.org> | 2015-12-28 02:35:27 +0300 |
---|---|---|
committer | Kévin Dietrich <kevin.dietrich@mailoo.org> | 2015-12-28 02:35:47 +0300 |
commit | 7ef10decdb609b6172f78a978b75454b3014b082 (patch) | |
tree | 2738e207900c0662874a90f9818d048804ee1a4a /intern/ghost | |
parent | 540ab7a55af91ae1eca00a90cc53f293d876f5a8 (diff) |
Fix for heap-use-after-free happening in GHOST_EventManager.
Issue was that dispatchEvent might call removeWindowEvents/
removeTypeEvents which will delete the event before we can do so.
To address this, handled events are now put in a separate list.
Reported by psy-fi and reviewed by brecht in IRC.
Diffstat (limited to 'intern/ghost')
-rw-r--r-- | intern/ghost/intern/GHOST_EventManager.cpp | 13 | ||||
-rw-r--r-- | intern/ghost/intern/GHOST_EventManager.h | 1 |
2 files changed, 11 insertions, 3 deletions
diff --git a/intern/ghost/intern/GHOST_EventManager.cpp b/intern/ghost/intern/GHOST_EventManager.cpp index bef4b0e02ca..bc531bd515b 100644 --- a/intern/ghost/intern/GHOST_EventManager.cpp +++ b/intern/ghost/intern/GHOST_EventManager.cpp @@ -106,11 +106,10 @@ void GHOST_EventManager::dispatchEvent(GHOST_IEvent *event) void GHOST_EventManager::dispatchEvent() { GHOST_IEvent *event = m_events.back(); + m_events.pop_back(); + m_handled_events.push_back(event); dispatchEvent(event); - - m_events.pop_back(); - delete event; } @@ -119,6 +118,8 @@ void GHOST_EventManager::dispatchEvents() while (!m_events.empty()) { dispatchEvent(); } + + disposeEvents(); } @@ -213,6 +214,12 @@ void GHOST_EventManager::removeTypeEvents(GHOST_TEventType type, GHOST_IWindow * void GHOST_EventManager::disposeEvents() { + while (m_handled_events.empty() == false) { + GHOST_ASSERT(m_handled_events[0], "invalid event"); + delete m_handled_events[0]; + m_handled_events.pop_front(); + } + while (m_events.empty() == false) { GHOST_ASSERT(m_events[0], "invalid event"); delete m_events[0]; diff --git a/intern/ghost/intern/GHOST_EventManager.h b/intern/ghost/intern/GHOST_EventManager.h index 958fc5f9310..ae2971ea1a8 100644 --- a/intern/ghost/intern/GHOST_EventManager.h +++ b/intern/ghost/intern/GHOST_EventManager.h @@ -146,6 +146,7 @@ protected: /** The event stack. */ std::deque<GHOST_IEvent *> m_events; + std::deque<GHOST_IEvent *> m_handled_events; /** A vector with event consumers. */ typedef std::vector<GHOST_IEventConsumer *> TConsumerVector; |