From c24b37e51c33547307c266024fb6b68da9e8478f Mon Sep 17 00:00:00 2001 From: "Garry R. Osgood" Date: Sat, 11 Nov 2000 15:48:27 +0000 Subject: [PATCH] 2000-11-11 Garry R. Osgood @idt.net * app/gimpbrushpipe.c Double frees due to dangling pointers [gimpbrushpipe.c CVS-1.27 Lines 396 ff]. Upon failure to load an n-th pixmap, a GPattern holding the dangling pointers would be released first, also releasing n-1 pixmap's name and RGB mask. These would again be freed in pipe and GTK deconstruction. --- ChangeLog | 18 ++++++++++++++++++ app/core/gimpbrushpipe-load.c | 4 +++- app/core/gimpbrushpipe.c | 4 +++- app/gimpbrushpipe.c | 4 +++- 4 files changed, 27 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index e2e1f869c4..fc8b6e63d8 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,21 @@ +2000-11-11 Garry R. Osgood @idt.net + + * app/gimpbrushpipe.c + Apropos to #8150, double frees of RGB + mask and brush name strings belonging to the the + last successfully constructed pixmap brush of a pipe + occured due to dangling pointers to these regions left + in the temporary GPattern [gimpbrushpipe.c CVS-1.27 Lines + 396 ff]. Upon failure to load an n-th pixmap, the + GPattern would be released first, also releasing n-1 + pixmap's name and RGB mask. These would again be freed + in pipe deconstruction. Heap memory would + remain corrupt for any type "2" variant of the bug, as + defined by Raphael Quinet in his original #8150 report. + Examples: (1) the rank cited in the pipe header is + inconsistent with actual pixmap content of pipe, or (2) + a component pixmap is missing or corrupt. + 2000-11-11 Tor Lillqvist * plug-ins/gimpressionist/gimpressionist.c (readdirintolist_real, diff --git a/app/core/gimpbrushpipe-load.c b/app/core/gimpbrushpipe-load.c index b2a416130a..fe9c4e8f8b 100644 --- a/app/core/gimpbrushpipe-load.c +++ b/app/core/gimpbrushpipe-load.c @@ -434,8 +434,10 @@ gimp_brush_pipe_load (gchar *filename) } pipe->brushes[pipe->nbrushes]->pixmap_mask = pattern->mask; + pattern->mask = NULL; /* #8150: mask now belongs to pixmap */ g_free (pattern->name); - + pattern->name = NULL; /* #8150: name no longer exists */ + pipe->nbrushes++; } diff --git a/app/core/gimpbrushpipe.c b/app/core/gimpbrushpipe.c index b2a416130a..fe9c4e8f8b 100644 --- a/app/core/gimpbrushpipe.c +++ b/app/core/gimpbrushpipe.c @@ -434,8 +434,10 @@ gimp_brush_pipe_load (gchar *filename) } pipe->brushes[pipe->nbrushes]->pixmap_mask = pattern->mask; + pattern->mask = NULL; /* #8150: mask now belongs to pixmap */ g_free (pattern->name); - + pattern->name = NULL; /* #8150: name no longer exists */ + pipe->nbrushes++; } diff --git a/app/gimpbrushpipe.c b/app/gimpbrushpipe.c index b2a416130a..fe9c4e8f8b 100644 --- a/app/gimpbrushpipe.c +++ b/app/gimpbrushpipe.c @@ -434,8 +434,10 @@ gimp_brush_pipe_load (gchar *filename) } pipe->brushes[pipe->nbrushes]->pixmap_mask = pattern->mask; + pattern->mask = NULL; /* #8150: mask now belongs to pixmap */ g_free (pattern->name); - + pattern->name = NULL; /* #8150: name no longer exists */ + pipe->nbrushes++; }