mifr/subsurface
1
0
Fork 0
mirror of https://github.com/subsurface/subsurface.git synced 2024-11-28 05:00:20 +00:00
Code Issues Projects Releases Packages Wiki Activity

Core: copy whole list in copy_dc_renumber()

Browse source 
copy_dc_renumber() is an internal function to copy dive computers
and renumber the cylinders. Since only the structure was copied,
in the case of multi-dc dives, the merged dives shared the same
computer. If one of them was freed, use-after-free crashes would happen.

Signed-off-by: Berthold Stoeger <bstoeger@mail.tuwien.ac.at>
This commit is contained in:
Berthold Stoeger 2018-10-15 21:17:23 +02:00 committed by Dirk Hohndel
parent 36043e8af2
commit 813c570524
1 changed files with 16 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
core/dive.c
View file

@ -489,14 +489,24 @@ static void copy_dc(const struct divecomputer *sdc, struct divecomputer *ddc)
static void dc_cylinder_renumber(struct dive *dive, struct divecomputer *dc, const int mapping[]);
/* copy dive computer and renumber the cylinders */
/* copy dive computer list and renumber the cylinders
* space for the first divecomputer is provided by the
* caller, the remainder is allocated */
static void copy_dc_renumber(struct dive *d, const struct divecomputer *sdc, struct divecomputer *ddc, const int cylinders_map[])
{
for (;;) {
*ddc = *sdc;
ddc->model = copy_string(sdc->model);
copy_samples(sdc, ddc);
copy_events(sdc, ddc);
dc_cylinder_renumber(d, ddc, cylinders_map);
if (!sdc->next)
break;
sdc = sdc->next;
ddc->next = calloc(1, sizeof(struct divecomputer));
ddc = ddc->next;
}
ddc->next = NULL;
}
/* copy an element in a list of pictures */