Prevent gaschange tank icons from using garbage coords.

Tank icons were shown at incorrect spots on the profile when the DiveEventItem object held a pointer to a struct event even after the struct event at that address had been freed. When internalEvent is a pointer to freed memory, internalEvent->time.seconds could have all kinds of crazy values, which get used in member function DiveEventItem::recalculatePos to place the tank at bad x coordinates. The DiveEventItem(s) no longer store a pointer to memory that they do not own. This way, no matter how the path of execution arrives into slot recalculatePos, we never need fear that the DiveEventItem will dereference a garbage pointer to a struct event. Fixes #968 Signed-off-by: K. Heller <pestophagous@gmail.com> Signed-off-by: Dirk Hohndel <dirk@hohndel.org>
2024-11-28 05:00:20 +00:00 · 2015-12-03 21:42:23 -08:00 · 2015-12-03 21:42:23 -08:00 · 2778470b97
commit 2778470b97
parent b0063e5d1a
4 changed files with 26 additions and 4 deletions
--- a/profile-widget/diveeventitem.cpp
+++ b/profile-widget/diveeventitem.cpp
@ -19,6 +19,10 @@ DiveEventItem::DiveEventItem(QObject *parent) : DivePixmapItem(parent),
 	setFlag(ItemIgnoresTransformations);
 }

+DiveEventItem::~DiveEventItem()
+{
+	free(internalEvent);
+}

 void DiveEventItem::setHorizontalAxis(DiveCartesianAxis *axis)
 {
@ -48,7 +52,9 @@ void DiveEventItem::setEvent(struct event *ev)
 {
 	if (!ev)
 		return;
-	internalEvent = ev;
+
+	free(internalEvent);
+	internalEvent = clone_event(ev);
 	setupPixmap();
 	setupToolTipString();
 	recalculatePos(true);
--- a/profile-widget/diveeventitem.h
+++ b/profile-widget/diveeventitem.h
@ -11,6 +11,7 @@ class DiveEventItem : public DivePixmapItem {
 	Q_OBJECT
 public:
 	DiveEventItem(QObject *parent = 0);
+	virtual ~DiveEventItem();
 	void setEvent(struct event *ev);
 	struct event *getEvent();
 	void eventVisibilityChanged(const QString &eventName, bool visible);
--- a/subsurface-core/dive.c
+++ b/subsurface-core/dive.c
@ -525,6 +525,22 @@ void selective_copy_dive(struct dive *s, struct dive *d, struct dive_components
 }
 #undef CONDITIONAL_COPY_STRING

+struct event *clone_event(const struct event *src_ev)
+{
+	struct event *ev;
+	if (!src_ev)
+		return NULL;
+
+	size_t size = sizeof(*src_ev) + strlen(src_ev->name) + 1;
+	ev = (struct event*) malloc(size);
+	if (!ev)
+		exit(1);
+	memcpy(ev, src_ev, size);
+	ev->next = NULL;
+
+	return ev;
+}
+
 /* copies all events in this dive computer */
 void copy_events(struct divecomputer *s, struct divecomputer *d)
 {
@ -534,9 +550,7 @@ void copy_events(struct divecomputer *s, struct divecomputer *d)
 	ev = s->events;
 	pev = &d->events;
 	while (ev != NULL) {
-		int size = sizeof(*ev) + strlen(ev->name) + 1;
-		struct event *new_ev = malloc(size);
-		memcpy(new_ev, ev, size);
+		struct event *new_ev = clone_event(ev);
 		*pev = new_ev;
 		pev = &new_ev->next;
 		ev = ev->next;
--- a/subsurface-core/dive.h
+++ b/subsurface-core/dive.h
@ -726,6 +726,7 @@ extern int split_dive(struct dive *);
 extern struct dive *merge_dives(struct dive *a, struct dive *b, int offset, bool prefer_downloaded);
 extern struct dive *try_to_merge(struct dive *a, struct dive *b, bool prefer_downloaded);
 extern void renumber_dives(int start_nr, bool selected_only);
+extern struct event *clone_event(const struct event *src_ev);
 extern void copy_events(struct divecomputer *s, struct divecomputer *d);
 extern void free_events(struct event *ev);
 extern void copy_cylinders(struct dive *s, struct dive *d, bool used_only);