summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorjenglish <jenglish@flightlab.com>2003-10-06 21:19:30 (GMT)
committerjenglish <jenglish@flightlab.com>2003-10-06 21:19:30 (GMT)
commitf596f8dd798e66df1bc22a543fba38f3d36f1cc9 (patch)
tree5b27d2b782df88e4d4ad5aa773af5bb26202034a
parent69baf768e2f48d48b91bad42ea851df7b22a6849 (diff)
downloadtk-f596f8dd798e66df1bc22a543fba38f3d36f1cc9.zip
tk-f596f8dd798e66df1bc22a543fba38f3d36f1cc9.tar.gz
tk-f596f8dd798e66df1bc22a543fba38f3d36f1cc9.tar.bz2
Fix double-free in style engine [Bug #798211]
-rw-r--r--ChangeLog3
-rw-r--r--generic/tkStyle.c127
2 files changed, 15 insertions, 115 deletions
diff --git a/ChangeLog b/ChangeLog
index f6119a8..ffc1021 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,6 @@
+2003-10-06 Joe English <jenglish@users.sourceforge.net>
+ * generic/tkStyle.c: Fix double-free in style engine [Bug #798211]
+
2003-10-06 Jeff Hobbs <jeffh@ActiveState.com>
* win/configure:
diff --git a/generic/tkStyle.c b/generic/tkStyle.c
index 81fb120..ccbb9a5 100644
--- a/generic/tkStyle.c
+++ b/generic/tkStyle.c
@@ -9,7 +9,7 @@
* See the file "license.terms" for information on usage and redistribution
* of this file, and for a DISCLAIMER OF ALL WARRANTIES.
*
- * RCS: @(#) $Id: tkStyle.c,v 1.3 2002/08/05 04:30:40 dgp Exp $
+ * RCS: @(#) $Id: tkStyle.c,v 1.4 2003/10/06 21:19:30 jenglish Exp $
*/
#include "tkInt.h"
@@ -77,11 +77,6 @@ typedef struct StyleEngine {
*/
typedef struct Style {
- int refCount; /* Number of active uses of this style.
- * If this count is 0, then this Style
- * structure is no longer valid. */
- Tcl_HashEntry *hashPtr; /* Entry in style table for this structure,
- * used when deleting it. */
CONST char *name; /* Name of style. Points to a hash key. */
StyleEngine *enginePtr; /* Style engine of which the style is an
* instance. */
@@ -133,7 +128,6 @@ static int CreateElement _ANSI_ARGS_((CONST char *name,
static void DupStyleObjProc _ANSI_ARGS_((Tcl_Obj *srcObjPtr,
Tcl_Obj *dupObjPtr));
static void FreeElement _ANSI_ARGS_((Element *elementPtr));
-static void FreeStyle _ANSI_ARGS_((Style *stylePtr));
static void FreeStyledElement _ANSI_ARGS_((
StyledElement *elementPtr));
static void FreeStyleEngine _ANSI_ARGS_((
@@ -149,7 +143,7 @@ static void InitElement _ANSI_ARGS_((Element *elementPtr,
CONST char *name, int id, int genericId,
int created));
static void InitStyle _ANSI_ARGS_((Style *stylePtr,
- Tcl_HashEntry *hashPtr, CONST char *name,
+ CONST char *name,
StyleEngine *enginePtr, ClientData clientData));
static void InitStyledElement _ANSI_ARGS_((
StyledElement *elementPtr));
@@ -1239,8 +1233,7 @@ Tk_DrawElement(style, element, recordPtr, tkwin, d, x, y, width, height, state)
* The newly allocated style.
*
* Side effects:
- * Memory allocated. Data added to thread-local table. The style's
- * refCount is incremented.
+ * Memory allocated. Data added to thread-local table.
*
*---------------------------------------------------------------------------
*/
@@ -1277,10 +1270,9 @@ Tk_CreateStyle(name, engine, clientData)
*/
stylePtr = (Style *) ckalloc(sizeof(Style));
- InitStyle(stylePtr, entryPtr, Tcl_GetHashKey(&tsdPtr->styleTable, entryPtr),
+ InitStyle(stylePtr, Tcl_GetHashKey(&tsdPtr->styleTable, entryPtr),
(engine?(StyleEngine *) engine:tsdPtr->defaultEnginePtr), clientData);
Tcl_SetHashValue(entryPtr, (ClientData) stylePtr);
- stylePtr->refCount++;
return (Tk_Style) stylePtr;
}
@@ -1330,17 +1322,14 @@ Tk_NameOfStyle(style)
*/
static void
-InitStyle(stylePtr, hashPtr, name, enginePtr, clientData)
+InitStyle(stylePtr, name, enginePtr, clientData)
Style *stylePtr; /* Points to an uninitialized style. */
- Tcl_HashEntry *hashPtr; /* Hash entry for the registered style. */
CONST char *name; /* Name of the registered style. NULL or empty
* means the default system style. Usually
* points to the hash key. */
StyleEngine *enginePtr; /* The style engine. */
ClientData clientData; /* Private data passed as is to engine code. */
{
- stylePtr->refCount = 0;
- stylePtr->hashPtr = hashPtr;
stylePtr->name = name;
stylePtr->enginePtr = enginePtr;
stylePtr->clientData = clientData;
@@ -1349,29 +1338,6 @@ InitStyle(stylePtr, hashPtr, name, enginePtr, clientData)
/*
*---------------------------------------------------------------------------
*
- * FreeStyle --
- *
- * Free a style and its associated data.
- *
- * Results:
- * None
- *
- * Side effects:
- * None.
- *
- *---------------------------------------------------------------------------
- */
-
-static void
-FreeStyle(stylePtr)
- Style *stylePtr; /* The style to free. */
-{
- /* Nothing to do. */
-}
-
-/*
- *---------------------------------------------------------------------------
- *
* Tk_GetStyle --
*
* Retrieve a registered style by its name.
@@ -1410,7 +1376,6 @@ Tk_GetStyle(interp, name)
return (Tk_Style) NULL;
}
stylePtr = (Style *) Tcl_GetHashValue(entryPtr);
- stylePtr->refCount++;
return (Tk_Style) stylePtr;
}
@@ -1420,44 +1385,15 @@ Tk_GetStyle(interp, name)
*
* Tk_FreeStyle --
*
- * Free a style previously created by Tk_CreateStyle.
- *
- * Results:
- * None
- *
- * Side effects:
- * The style's refCount is decremented. If it reaches zero, the style
- * is freed.
+ * No-op. Present only for stubs compatibility.
*
*---------------------------------------------------------------------------
*/
void
Tk_FreeStyle(style)
- Tk_Style style; /* The style to free. */
+ Tk_Style style;
{
- Style *stylePtr = (Style *) style;
-
- if (stylePtr == NULL) {
- return;
- }
- stylePtr->refCount--;
- if (stylePtr->refCount > 0) {
- return;
- }
-
- /*
- * Keep the default style alive.
- */
-
- if (*stylePtr->name == '\0') {
- stylePtr->refCount = 1;
- return;
- }
-
- Tcl_DeleteHashEntry(stylePtr->hashPtr);
- FreeStyle(stylePtr);
- ckfree((char *) stylePtr);
}
/*
@@ -1473,12 +1409,6 @@ Tk_FreeStyle(style)
* NULL if none found. If NULL is returned, an error message will be
* left in interp's result object.
*
- * Side effects:
- * The style's reference count is incremented. For each call to this
- * procedure, there should eventually be a call to Tk_FreeStyle() or
- * Tk_FreeStyleFromObj() so that the database is cleaned up when styles
- * aren't in use anymore.
- *
*---------------------------------------------------------------------------
*/
@@ -1495,7 +1425,6 @@ Tk_AllocStyleFromObj(interp, objPtr)
stylePtr = (Style *) objPtr->internalRep.otherValuePtr;
} else {
stylePtr = (Style *) objPtr->internalRep.otherValuePtr;
- stylePtr->refCount++;
}
return (Tk_Style) stylePtr;
@@ -1536,25 +1465,14 @@ Tk_GetStyleFromObj(objPtr)
*
* Tk_FreeStyleFromObj --
*
- * Called to release a style inside a Tcl_Obj *.
- *
- * Results:
- * None.
- *
- * Side effects:
- * If the object is a style ref, the conversion will free its
- * internal representation.
+ * No-op. Present only for stubs compatibility.
*
*---------------------------------------------------------------------------
*/
-
void
Tk_FreeStyleFromObj(objPtr)
- Tcl_Obj *objPtr; /* The Tcl_Obj * to be freed. */
+ Tcl_Obj *objPtr;
{
- if (objPtr->typePtr == &styleObjType) {
- FreeStyleObjProc(objPtr);
- }
}
/*
@@ -1572,7 +1490,6 @@ Tk_FreeStyleFromObj(objPtr)
*
* Side effects:
* The object is left with its typePtr pointing to styleObjType.
- * The reference count is incremented (in Tk_GetStyle()).
*
*----------------------------------------------------------------------
*/
@@ -1612,9 +1529,6 @@ SetStyleFromAny(interp, objPtr)
* Results:
* None.
*
- * Side effects:
- * The reference count is decremented (in Tk_FreeStyle()).
- *
*---------------------------------------------------------------------------
*/
@@ -1622,12 +1536,8 @@ static void
FreeStyleObjProc(objPtr)
Tcl_Obj *objPtr; /* The object we are releasing. */
{
- Style *stylePtr = (Style *) objPtr->internalRep.otherValuePtr;
-
- if (stylePtr != NULL) {
- Tk_FreeStyle((Tk_Style) stylePtr);
- objPtr->internalRep.otherValuePtr = NULL;
- }
+ objPtr->internalRep.otherValuePtr = NULL;
+ objPtr->typePtr = NULL;
}
/*
@@ -1638,13 +1548,6 @@ FreeStyleObjProc(objPtr)
* When a cached style object is duplicated, this is called to
* update the internal reps.
*
- * Results:
- * None.
- *
- * Side effects:
- * The style's refCount is incremented and the internal rep of the copy
- * is set to point to it.
- *
*---------------------------------------------------------------------------
*/
@@ -1653,12 +1556,6 @@ DupStyleObjProc(srcObjPtr, dupObjPtr)
Tcl_Obj *srcObjPtr; /* The object we are copying from. */
Tcl_Obj *dupObjPtr; /* The object we are copying to. */
{
- Style *stylePtr = (Style *) srcObjPtr->internalRep.otherValuePtr;
-
dupObjPtr->typePtr = srcObjPtr->typePtr;
- dupObjPtr->internalRep.otherValuePtr = (VOID *) stylePtr;
-
- if (stylePtr != NULL) {
- stylePtr->refCount++;
- }
+ dupObjPtr->internalRep.otherValuePtr=srcObjPtr->internalRep.otherValuePtr;
}