Changeset 0415776 in mainline

Timestamp:

2022-05-24T14:21:32Z (2 years ago)

Author:

Jiri Svoboda <jiri@…>

Branches:

master, ticket/834-toolchain-update, topic/msim-upgrade, topic/simplify-dev-export

Children:

174be87

Parents:

8b22d44

git-author:

Jiri Svoboda <jiri@…> (2022-05-23 17:21:15)

git-committer:

Jiri Svoboda <jiri@…> (2022-05-24 14:21:32)

Message:

Prevent use after free when destroying window

Cannot access window after return from event handler (where it could
have been destroyed), cannot deliver event to window if it was
already claimed by window decoration.

File:

• uspace/lib/ui/src/window.c (modified) (12 diffs)

uspace/lib/ui/src/window.c

@@ -400 +400 @@
         ui_wdecor_destroy(window->wdecor);
         ui_resource_destroy(window->res);
-        if (0 && window->app_mgc != NULL)
+        if (window->app_mgc != NULL)
                 mem_gc_delete(window->app_mgc);
-        if (0 && window->app_bmp != NULL)
+        if (window->app_bmp != NULL)
                 gfx_bitmap_destroy(window->app_bmp);
         if (window->mgc != NULL) {
@@ -413 +413 @@
                 display_window_destroy(window->dwindow);
 
-        free(window);
-
         /* Need to repaint if windows are emulated */
         if (ui_is_fullscreen(ui)) {
@@ -424 +422 @@
                 (void) console_set_caption(ui->console, "");
         }
+
+        free(window);
 }
 
@@ -810 +810 @@
 {
         ui_window_t *window = (ui_window_t *) arg;
-
-        ui_lock(window->ui);
+        ui_t *ui = window->ui;
+
+        ui_lock(ui);
 
         if (window->wdecor != NULL) {
@@ -819 +820 @@
 
         ui_window_send_focus(window);
-        ui_unlock(window->ui);
+        ui_unlock(ui);
 }
 
@@ -826 +827 @@
 {
         ui_window_t *window = (ui_window_t *) arg;
-
-        ui_lock(window->ui);
+        ui_t *ui = window->ui;
+
+        ui_lock(ui);
         ui_window_send_kbd(window, kbd_event);
-        ui_unlock(window->ui);
+        ui_unlock(ui);
 }
 
@@ -836 +838 @@
 {
         ui_window_t *window = (ui_window_t *) arg;
+        ui_t *ui = window->ui;
+        ui_evclaim_t claim;
 
         /* Make sure we don't process events until fully initialized */
@@ -841 +845 @@
                 return;
 
-        ui_lock(window->ui);
-        ui_wdecor_pos_event(window->wdecor, event);
+        ui_lock(ui);
+
+        claim = ui_wdecor_pos_event(window->wdecor, event);
+        if (claim == ui_claimed) {
+                ui_unlock(ui);
+                return;
+        }
+
         ui_window_send_pos(window, event);
-        ui_unlock(window->ui);
+        ui_unlock(ui);
 }
 
@@ -851 +861 @@
 {
         ui_window_t *window = (ui_window_t *) arg;
+        ui_t *ui = window->ui;
 
         /* Make sure we don't process events until fully initialized */
@@ -859 +870 @@
                 return;
 
-        ui_lock(window->ui);
+        ui_lock(ui);
         (void) ui_window_resize(window, rect);
         (void) ui_window_paint(window);
-        ui_unlock(window->ui);
+        ui_unlock(ui);
 }
 
@@ -869 +880 @@
 {
         ui_window_t *window = (ui_window_t *) arg;
-
-        ui_lock(window->ui);
+        ui_t *ui = window->ui;
+
+        ui_lock(ui);
 
         if (window->wdecor != NULL) {
@@ -878 +890 @@
 
         ui_window_send_unfocus(window);
-        ui_unlock(window->ui);
+        ui_unlock(ui);
 }