diff options
author | dgp <dgp@users.sourceforge.net> | 2017-04-06 16:08:17 (GMT) |
---|---|---|
committer | dgp <dgp@users.sourceforge.net> | 2017-04-06 16:08:17 (GMT) |
commit | 022b25baf0934b5ec3218354645491aea7674b5b (patch) | |
tree | 1db2f7d56d7eea41497b364d96ff3dfef78f40f2 | |
parent | b067e33b380775ccdb269def17dfb8699f22bf5a (diff) | |
download | tk-022b25baf0934b5ec3218354645491aea7674b5b.zip tk-022b25baf0934b5ec3218354645491aea7674b5b.tar.gz tk-022b25baf0934b5ec3218354645491aea7674b5b.tar.bz2 |
[db8c541b6b] Prevent access of freed memory in warp pointer callbacks.
-rw-r--r-- | generic/tkBind.c | 25 |
1 files changed, 23 insertions, 2 deletions
diff --git a/generic/tkBind.c b/generic/tkBind.c index 567c51f..61b44df 100644 --- a/generic/tkBind.c +++ b/generic/tkBind.c @@ -3466,12 +3466,28 @@ HandleEventGenerate( if ((warp != 0) && Tk_IsMapped(tkwin)) { TkDisplay *dispPtr = TkGetDisplay(event.general.xmotion.display); + /* + * TODO: No protection is in place to handle dispPtr destruction + * before DoWarp is called back. + */ + + Tk_Window warpWindow = Tk_IdToWindow(dispPtr->display, + event.general.xmotion.window); + if (!(dispPtr->flags & TK_DISPLAY_IN_WARP)) { Tcl_DoWhenIdle(DoWarp, dispPtr); dispPtr->flags |= TK_DISPLAY_IN_WARP; } - dispPtr->warpWindow = Tk_IdToWindow(dispPtr->display, - event.general.xmotion.window); + + if (warpWindow != dispPtr->warpWindow) { + if (warpWindow) { + Tcl_Preserve(warpWindow); + } + if (dispPtr->warpWindow) { + Tcl_Release(dispPtr->warpWindow); + } + dispPtr->warpWindow = warpWindow; + } dispPtr->warpMainwin = mainWin; dispPtr->warpX = event.general.xmotion.x; dispPtr->warpY = event.general.xmotion.y; @@ -3559,6 +3575,11 @@ DoWarp( TkpWarpPointer(dispPtr); XForceScreenSaver(dispPtr->display, ScreenSaverReset); } + + if (dispPtr->warpWindow) { + Tcl_Release(dispPtr->warpWindow); + dispPtr->warpWindow = None; + } dispPtr->flags &= ~TK_DISPLAY_IN_WARP; } |