git.mdlowis.com Git - proto/labwc.git/commit

author	tokyo4j <hrak1529@gmail.com>
	Fri, 3 Jan 2025 15:05:12 +0000 (00:05 +0900)
committer	Consolatis <35009135+Consolatis@users.noreply.github.com>
	Sat, 4 Jan 2025 08:10:02 +0000 (09:10 +0100)
commit	70fb7138743ba22c0cfd797828fd7477183c39bc
tree	73264fd2a0b1bb2d2dbe6b93865b559f85eae2eb	tree \| snapshot
parent	90a8c3e793ab53496c3f8e641f83f9941def233b	commit \| diff

img: fix UAF on Reconfigure by refcounting

Before this commit, there was a use-after-free bug on Reconfigure:
- theme_finish() destroys lab_imgs for titlebar icons
- For some reason, undecorate() calls _create_buffer() in
scaled-img-buffer.c, which calls img_render() on a destroyed lab_img.

So in this commit, the lifetime of lab_img is expanded to when the
scaled_img_buffers referencing it are all destroyed. This is achieved by
calling lab_img_copy() when setting a lab_img to scaled_img_buffer and
calling lab_img_destroy() when clearing a lab_img.

Now that scaled_img_buffer.img are always different, lab_img_equal() is
added to compare the content of scaled_img_buffer.img.

include/common/scaled-img-buffer.h		diff \| blob \| history
include/img/img.h		diff \| blob \| history
include/ssd-internal.h		diff \| blob \| history
src/common/scaled-img-buffer.c		diff \| blob \| history
src/img/img.c		diff \| blob \| history
src/ssd/ssd-titlebar.c		diff \| blob \| history