From 7ef10decdb609b6172f78a978b75454b3014b082 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20Dietrich?= Date: Mon, 28 Dec 2015 00:35:27 +0100 Subject: Fix for heap-use-after-free happening in GHOST_EventManager. Issue was that dispatchEvent might call removeWindowEvents/ removeTypeEvents which will delete the event before we can do so. To address this, handled events are now put in a separate list. Reported by psy-fi and reviewed by brecht in IRC. --- intern/ghost/intern/GHOST_EventManager.cpp | 13 ++++++++++--- intern/ghost/intern/GHOST_EventManager.h | 1 + 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/intern/ghost/intern/GHOST_EventManager.cpp b/intern/ghost/intern/GHOST_EventManager.cpp index bef4b0e02ca..bc531bd515b 100644 --- a/intern/ghost/intern/GHOST_EventManager.cpp +++ b/intern/ghost/intern/GHOST_EventManager.cpp @@ -106,11 +106,10 @@ void GHOST_EventManager::dispatchEvent(GHOST_IEvent *event) void GHOST_EventManager::dispatchEvent() { GHOST_IEvent *event = m_events.back(); + m_events.pop_back(); + m_handled_events.push_back(event); dispatchEvent(event); - - m_events.pop_back(); - delete event; } @@ -119,6 +118,8 @@ void GHOST_EventManager::dispatchEvents() while (!m_events.empty()) { dispatchEvent(); } + + disposeEvents(); } @@ -213,6 +214,12 @@ void GHOST_EventManager::removeTypeEvents(GHOST_TEventType type, GHOST_IWindow * void GHOST_EventManager::disposeEvents() { + while (m_handled_events.empty() == false) { + GHOST_ASSERT(m_handled_events[0], "invalid event"); + delete m_handled_events[0]; + m_handled_events.pop_front(); + } + while (m_events.empty() == false) { GHOST_ASSERT(m_events[0], "invalid event"); delete m_events[0]; diff --git a/intern/ghost/intern/GHOST_EventManager.h b/intern/ghost/intern/GHOST_EventManager.h index 958fc5f9310..ae2971ea1a8 100644 --- a/intern/ghost/intern/GHOST_EventManager.h +++ b/intern/ghost/intern/GHOST_EventManager.h @@ -146,6 +146,7 @@ protected: /** The event stack. */ std::deque m_events; + std::deque m_handled_events; /** A vector with event consumers. */ typedef std::vector TConsumerVector; -- cgit v1.2.3