summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authordgp <dgp@users.sourceforge.net>2017-04-06 16:08:17 (GMT)
committerdgp <dgp@users.sourceforge.net>2017-04-06 16:08:17 (GMT)
commit022b25baf0934b5ec3218354645491aea7674b5b (patch)
tree1db2f7d56d7eea41497b364d96ff3dfef78f40f2
parentb067e33b380775ccdb269def17dfb8699f22bf5a (diff)
downloadtk-022b25baf0934b5ec3218354645491aea7674b5b.zip
tk-022b25baf0934b5ec3218354645491aea7674b5b.tar.gz
tk-022b25baf0934b5ec3218354645491aea7674b5b.tar.bz2
[db8c541b6b] Prevent access of freed memory in warp pointer callbacks.
-rw-r--r--generic/tkBind.c25
1 files changed, 23 insertions, 2 deletions
diff --git a/generic/tkBind.c b/generic/tkBind.c
index 567c51f..61b44df 100644
--- a/generic/tkBind.c
+++ b/generic/tkBind.c
@@ -3466,12 +3466,28 @@ HandleEventGenerate(
if ((warp != 0) && Tk_IsMapped(tkwin)) {
TkDisplay *dispPtr = TkGetDisplay(event.general.xmotion.display);
+ /*
+ * TODO: No protection is in place to handle dispPtr destruction
+ * before DoWarp is called back.
+ */
+
+ Tk_Window warpWindow = Tk_IdToWindow(dispPtr->display,
+ event.general.xmotion.window);
+
if (!(dispPtr->flags & TK_DISPLAY_IN_WARP)) {
Tcl_DoWhenIdle(DoWarp, dispPtr);
dispPtr->flags |= TK_DISPLAY_IN_WARP;
}
- dispPtr->warpWindow = Tk_IdToWindow(dispPtr->display,
- event.general.xmotion.window);
+
+ if (warpWindow != dispPtr->warpWindow) {
+ if (warpWindow) {
+ Tcl_Preserve(warpWindow);
+ }
+ if (dispPtr->warpWindow) {
+ Tcl_Release(dispPtr->warpWindow);
+ }
+ dispPtr->warpWindow = warpWindow;
+ }
dispPtr->warpMainwin = mainWin;
dispPtr->warpX = event.general.xmotion.x;
dispPtr->warpY = event.general.xmotion.y;
@@ -3559,6 +3575,11 @@ DoWarp(
TkpWarpPointer(dispPtr);
XForceScreenSaver(dispPtr->display, ScreenSaverReset);
}
+
+ if (dispPtr->warpWindow) {
+ Tcl_Release(dispPtr->warpWindow);
+ dispPtr->warpWindow = None;
+ }
dispPtr->flags &= ~TK_DISPLAY_IN_WARP;
}