1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
|
From: Simon McVittie <smcv@debian.org>
Date: Sun, 11 Apr 2021 14:00:21 +0100
Subject: Puzzle: Use temporary variables when dereferencing initial_board
If we directly use `(!) initial_board [x, y]`, the C code generated by
valac 0.48.16 sets a temporary variable to a pointer into
`initial_board`, and then frees that pointer when it goes out of scope,
leaving a dangling pointer in `initial_board` which causes a double-free
and a crash.
Signed-off-by: Simon McVittie <smcv@debian.org>
Bug: https://gitlab.gnome.org/GNOME/gnome-tetravex/-/issues/32
Bug-Debian: https://bugs.debian.org/986718
Forwarded: https://gitlab.gnome.org/GNOME/gnome-tetravex/-/merge_requests/18
---
src/puzzle.vala | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/src/puzzle.vala b/src/puzzle.vala
index 218b590..aa0cfa8 100644
--- a/src/puzzle.vala
+++ b/src/puzzle.vala
@@ -911,9 +911,14 @@ private class Puzzle : Object
for (uint8 x = 0; x < board_size; x++)
for (uint8 y = 0; y < board_size - 1; y++)
{
- if (((!) initial_board [x, y]).color_south != ((!) initial_board [x, y + 1]).color_north)
+ SavedTile? x_y = initial_board [x, y];
+ SavedTile? x_yplus1 = initial_board [x, y + 1];
+ SavedTile? y_x = initial_board [y, x];
+ SavedTile? yplus1_x = initial_board [y + 1, x];
+
+ if (((!) x_y).color_south != ((!) x_yplus1).color_north)
return false;
- if (((!) initial_board [y, x]).color_east != ((!) initial_board [y + 1, x]).color_west)
+ if (((!) y_x).color_east != ((!) yplus1_x).color_west)
return false;
}
|
