summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authordgp <dgp@users.sourceforge.net>2017-04-06 16:11:23 (GMT)
committerdgp <dgp@users.sourceforge.net>2017-04-06 16:11:23 (GMT)
commit66a10ff67767d18fd3e4892be3e49fc6e1a0273e (patch)
tree980ba26456d78fec4e7a7eb51ba971069235d15c
parentbec073280438947bc41ae54d977899ea3adc5575 (diff)
parent022b25baf0934b5ec3218354645491aea7674b5b (diff)
downloadtk-66a10ff67767d18fd3e4892be3e49fc6e1a0273e.zip
tk-66a10ff67767d18fd3e4892be3e49fc6e1a0273e.tar.gz
tk-66a10ff67767d18fd3e4892be3e49fc6e1a0273e.tar.bz2
[db8c541b6b] Prevent access of freed memory in warp pointer callbacks.
-rw-r--r--generic/tkBind.c25
1 files changed, 23 insertions, 2 deletions
diff --git a/generic/tkBind.c b/generic/tkBind.c
index 8a6fc56..aaa5386 100644
--- a/generic/tkBind.c
+++ b/generic/tkBind.c
@@ -3466,12 +3466,28 @@ HandleEventGenerate(
if ((warp != 0) && Tk_IsMapped(tkwin)) {
TkDisplay *dispPtr = TkGetDisplay(event.general.xmotion.display);
+ /*
+ * TODO: No protection is in place to handle dispPtr destruction
+ * before DoWarp is called back.
+ */
+
+ Tk_Window warpWindow = Tk_IdToWindow(dispPtr->display,
+ event.general.xmotion.window);
+
if (!(dispPtr->flags & TK_DISPLAY_IN_WARP)) {
Tcl_DoWhenIdle(DoWarp, dispPtr);
dispPtr->flags |= TK_DISPLAY_IN_WARP;
}
- dispPtr->warpWindow = Tk_IdToWindow(dispPtr->display,
- event.general.xmotion.window);
+
+ if (warpWindow != dispPtr->warpWindow) {
+ if (warpWindow) {
+ Tcl_Preserve(warpWindow);
+ }
+ if (dispPtr->warpWindow) {
+ Tcl_Release(dispPtr->warpWindow);
+ }
+ dispPtr->warpWindow = warpWindow;
+ }
dispPtr->warpMainwin = mainWin;
dispPtr->warpX = event.general.xmotion.x;
dispPtr->warpY = event.general.xmotion.y;
@@ -3559,6 +3575,11 @@ DoWarp(
TkpWarpPointer(dispPtr);
XForceScreenSaver(dispPtr->display, ScreenSaverReset);
}
+
+ if (dispPtr->warpWindow) {
+ Tcl_Release(dispPtr->warpWindow);
+ dispPtr->warpWindow = None;
+ }
dispPtr->flags &= ~TK_DISPLAY_IN_WARP;
}