2000-11-11 Garry R. Osgood <gosgood>@idt.net *

app/gimpbrushpipe.c Double frees due to dangling pointers [gimpbrushpipe.c CVS-1.27 Lines 396 ff]. Upon failure to load an n-th pixmap, a GPattern holding the dangling pointers would be released first, also releasing n-1 pixmap's name and RGB mask. These would again be freed in pipe and GTK deconstruction.
2024-10-21 20:12:30 +00:00 · 2000-11-11 15:48:27 +00:00 · 2000-11-11 15:48:27 +00:00 · c24b37e51c
parent 5ff22ad0d0
commit c24b37e51c
4 changed files with 27 additions and 3 deletions
--- a/18
+++ b/18
@ -1,3 +1,21 @@
+2000-11-11 Garry R. Osgood <gosgood>@idt.net
+
+	* app/gimpbrushpipe.c
+	Apropos to #8150, double frees of RGB
+	mask and brush name strings belonging to the the 
+	last successfully constructed pixmap brush of a pipe 
+	occured due to dangling pointers to these regions left 
+	in the temporary GPattern [gimpbrushpipe.c CVS-1.27 Lines
+	396 ff]. Upon failure to load an n-th pixmap, the
+	GPattern would be released first, also releasing n-1
+	pixmap's name and RGB mask. These would again be freed
+	in pipe deconstruction. Heap memory would
+	remain corrupt for any type "2" variant of the bug, as 
+	defined by Raphael Quinet in his original #8150 report.
+ 	Examples: (1) the rank cited in the pipe header is 
+	inconsistent with actual pixmap content of pipe, or (2)
+	a component pixmap is missing or corrupt.
+
 2000-11-11  Tor Lillqvist  <tml@iki.fi>

 	* plug-ins/gimpressionist/gimpressionist.c (readdirintolist_real,
--- a/app/core/gimpbrushpipe-load.c
+++ b/app/core/gimpbrushpipe-load.c
@ -434,8 +434,10 @@ gimp_brush_pipe_load (gchar *filename)
 	}

      pipe->brushes[pipe->nbrushes]->pixmap_mask = pattern->mask;
+      pattern->mask = NULL;   /* #8150: mask now belongs to pixmap */
      g_free (pattern->name);
-
+      pattern->name = NULL;   /* #8150: name no longer exists      */
+                              
      pipe->nbrushes++;
    }

--- a/app/core/gimpbrushpipe.c
+++ b/app/core/gimpbrushpipe.c
@ -434,8 +434,10 @@ gimp_brush_pipe_load (gchar *filename)
 	}

      pipe->brushes[pipe->nbrushes]->pixmap_mask = pattern->mask;
+      pattern->mask = NULL;   /* #8150: mask now belongs to pixmap */
      g_free (pattern->name);
-
+      pattern->name = NULL;   /* #8150: name no longer exists      */
+                              
      pipe->nbrushes++;
    }

--- a/app/gimpbrushpipe.c
+++ b/app/gimpbrushpipe.c
@ -434,8 +434,10 @@ gimp_brush_pipe_load (gchar *filename)
 	}

      pipe->brushes[pipe->nbrushes]->pixmap_mask = pattern->mask;
+      pattern->mask = NULL;   /* #8150: mask now belongs to pixmap */
      g_free (pattern->name);
-
+      pattern->name = NULL;   /* #8150: name no longer exists      */
+                              
      pipe->nbrushes++;
    }