blender
/
blender
129
397
Fork 571
Code Issues 6.2k Pull Requests 750 Projects 19 Wiki Activity

Fix for heap-use-after-free happening in GHOST_EventManager. 

Issue was that dispatchEvent might call removeWindowEvents/
removeTypeEvents which will delete the event before we can do so.

To address this, handled events are now put in a separate list.

Reported by psy-fi and reviewed by brecht in IRC.
This commit is contained in:
Kévin Dietrich 2015-12-28 00:35:27 +01:00
parent 540ab7a55a
commit 7ef10decdb
2 changed files with 11 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
intern/ghost/intern/GHOST_EventManager.cpp
View File

@ -106,11 +106,10 @@ void GHOST_EventManager::dispatchEvent(GHOST_IEvent *event)
void GHOST_EventManager::dispatchEvent()
{
GHOST_IEvent *event = m_events.back();
m_events.pop_back();
m_handled_events.push_back(event);
dispatchEvent(event);
m_events.pop_back();
delete event;
}
@ -119,6 +118,8 @@ void GHOST_EventManager::dispatchEvents()
while (!m_events.empty()) {
dispatchEvent();
}
disposeEvents();
}
@ -213,6 +214,12 @@ void GHOST_EventManager::removeTypeEvents(GHOST_TEventType type, GHOST_IWindow *
void GHOST_EventManager::disposeEvents()
{
while (m_handled_events.empty() == false) {
GHOST_ASSERT(m_handled_events[0], "invalid event");
delete m_handled_events[0];
m_handled_events.pop_front();
}
while (m_events.empty() == false) {
GHOST_ASSERT(m_events[0], "invalid event");
delete m_events[0];

1
intern/ghost/intern/GHOST_EventManager.h
View File

@ -146,6 +146,7 @@ protected:
/** The event stack. */
std::deque<GHOST_IEvent *> m_events;
std::deque<GHOST_IEvent *> m_handled_events;
/** A vector with event consumers. */
typedef std::vector<GHOST_IEventConsumer *> TConsumerVector;