From 022b25baf0934b5ec3218354645491aea7674b5b Mon Sep 17 00:00:00 2001
From: dgp <dgp@users.sourceforge.net>
Date: Thu, 6 Apr 2017 16:08:17 +0000
Subject: [db8c541b6b] Prevent access of freed memory in warp pointer
 callbacks.

---
 generic/tkBind.c | 25 +++++++++++++++++++++++--
 1 file changed, 23 insertions(+), 2 deletions(-)

diff --git a/generic/tkBind.c b/generic/tkBind.c
index 567c51f..61b44df 100644
--- a/generic/tkBind.c
+++ b/generic/tkBind.c
@@ -3466,12 +3466,28 @@ HandleEventGenerate(
     if ((warp != 0) && Tk_IsMapped(tkwin)) {
 	TkDisplay *dispPtr = TkGetDisplay(event.general.xmotion.display);
 
+	/*
+	 * TODO: No protection is in place to handle dispPtr destruction
+	 * before DoWarp is called back.
+	 */
+
+	Tk_Window warpWindow = Tk_IdToWindow(dispPtr->display,
+		event.general.xmotion.window);
+
 	if (!(dispPtr->flags & TK_DISPLAY_IN_WARP)) {
 	    Tcl_DoWhenIdle(DoWarp, dispPtr);
 	    dispPtr->flags |= TK_DISPLAY_IN_WARP;
 	}
-	dispPtr->warpWindow = Tk_IdToWindow(dispPtr->display,
-		event.general.xmotion.window);
+
+	if (warpWindow != dispPtr->warpWindow) {
+	    if (warpWindow) {
+		Tcl_Preserve(warpWindow);
+	    }
+	    if (dispPtr->warpWindow) {
+		Tcl_Release(dispPtr->warpWindow);
+	    }
+	    dispPtr->warpWindow = warpWindow;
+	}
 	dispPtr->warpMainwin = mainWin;
 	dispPtr->warpX = event.general.xmotion.x;
 	dispPtr->warpY = event.general.xmotion.y;
@@ -3559,6 +3575,11 @@ DoWarp(
         TkpWarpPointer(dispPtr);
         XForceScreenSaver(dispPtr->display, ScreenSaverReset);
     }
+
+    if (dispPtr->warpWindow) {
+	Tcl_Release(dispPtr->warpWindow);
+	dispPtr->warpWindow = None;
+    }
     dispPtr->flags &= ~TK_DISPLAY_IN_WARP;
 }
 
-- 
cgit v0.12