From 2778470b9755af2349a70f127e208750afda7725 Mon Sep 17 00:00:00 2001 From: "K. \\\"pestophagous\\\" Heller" Date: Thu, 3 Dec 2015 21:42:23 -0800 Subject: [PATCH] Prevent gaschange tank icons from using garbage coords. Tank icons were shown at incorrect spots on the profile when the DiveEventItem object held a pointer to a struct event even after the struct event at that address had been freed. When internalEvent is a pointer to freed memory, internalEvent->time.seconds could have all kinds of crazy values, which get used in member function DiveEventItem::recalculatePos to place the tank at bad x coordinates. The DiveEventItem(s) no longer store a pointer to memory that they do not own. This way, no matter how the path of execution arrives into slot recalculatePos, we never need fear that the DiveEventItem will dereference a garbage pointer to a struct event. Fixes #968 Signed-off-by: K. Heller Signed-off-by: Dirk Hohndel --- profile-widget/diveeventitem.cpp | 8 +++++++- profile-widget/diveeventitem.h | 1 + subsurface-core/dive.c | 20 +++++++++++++++++--- subsurface-core/dive.h | 1 + 4 files changed, 26 insertions(+), 4 deletions(-) diff --git a/profile-widget/diveeventitem.cpp b/profile-widget/diveeventitem.cpp index 0bbc84267..083c8b5b8 100644 --- a/profile-widget/diveeventitem.cpp +++ b/profile-widget/diveeventitem.cpp @@ -19,6 +19,10 @@ DiveEventItem::DiveEventItem(QObject *parent) : DivePixmapItem(parent), setFlag(ItemIgnoresTransformations); } +DiveEventItem::~DiveEventItem() +{ + free(internalEvent); +} void DiveEventItem::setHorizontalAxis(DiveCartesianAxis *axis) { @@ -48,7 +52,9 @@ void DiveEventItem::setEvent(struct event *ev) { if (!ev) return; - internalEvent = ev; + + free(internalEvent); + internalEvent = clone_event(ev); setupPixmap(); setupToolTipString(); recalculatePos(true); diff --git a/profile-widget/diveeventitem.h b/profile-widget/diveeventitem.h index f358fee6d..9d6ad5d26 100644 --- a/profile-widget/diveeventitem.h +++ b/profile-widget/diveeventitem.h @@ -11,6 +11,7 @@ class DiveEventItem : public DivePixmapItem { Q_OBJECT public: DiveEventItem(QObject *parent = 0); + virtual ~DiveEventItem(); void setEvent(struct event *ev); struct event *getEvent(); void eventVisibilityChanged(const QString &eventName, bool visible); diff --git a/subsurface-core/dive.c b/subsurface-core/dive.c index 52175db71..46129b86a 100644 --- a/subsurface-core/dive.c +++ b/subsurface-core/dive.c @@ -525,6 +525,22 @@ void selective_copy_dive(struct dive *s, struct dive *d, struct dive_components } #undef CONDITIONAL_COPY_STRING +struct event *clone_event(const struct event *src_ev) +{ + struct event *ev; + if (!src_ev) + return NULL; + + size_t size = sizeof(*src_ev) + strlen(src_ev->name) + 1; + ev = (struct event*) malloc(size); + if (!ev) + exit(1); + memcpy(ev, src_ev, size); + ev->next = NULL; + + return ev; +} + /* copies all events in this dive computer */ void copy_events(struct divecomputer *s, struct divecomputer *d) { @@ -534,9 +550,7 @@ void copy_events(struct divecomputer *s, struct divecomputer *d) ev = s->events; pev = &d->events; while (ev != NULL) { - int size = sizeof(*ev) + strlen(ev->name) + 1; - struct event *new_ev = malloc(size); - memcpy(new_ev, ev, size); + struct event *new_ev = clone_event(ev); *pev = new_ev; pev = &new_ev->next; ev = ev->next; diff --git a/subsurface-core/dive.h b/subsurface-core/dive.h index 3ff262e96..ff7dbd2be 100644 --- a/subsurface-core/dive.h +++ b/subsurface-core/dive.h @@ -726,6 +726,7 @@ extern int split_dive(struct dive *); extern struct dive *merge_dives(struct dive *a, struct dive *b, int offset, bool prefer_downloaded); extern struct dive *try_to_merge(struct dive *a, struct dive *b, bool prefer_downloaded); extern void renumber_dives(int start_nr, bool selected_only); +extern struct event *clone_event(const struct event *src_ev); extern void copy_events(struct divecomputer *s, struct divecomputer *d); extern void free_events(struct event *ev); extern void copy_cylinders(struct dive *s, struct dive *d, bool used_only);