Mask removal: dt_masks_form_remove() after dt_dev_masks_list_remove()

LebedevRI · LebedevRI · commit f6de34bc10c3 · 2015-09-27T22:17:10.000+03:00
Fixes: AddressSanitizer: heap-use-after-free on address 0x60e00013d4b4 at pc 0x7fd6409390f3 bp 0x7ffdd90547c0 sp 0x7ffdd90547b8 READ of size 4 at 0x60e00013d4b4 thread T0 #0 0x7fd6409390f2 in dt_ellipse_events_button_released /home/lebedevri/darktable/src/develop/masks/ellipse.c:434 #1 0x7fd64093a8f1 in dt_group_events_button_released /home/lebedevri/darktable/src/develop/masks/group.c:115 #2 0x7fd64093a8f1 in dt_masks_events_button_released /home/lebedevri/darktable/src/develop/masks/masks.c:1199 #3 0x7fd61b64495c in button_released /home/lebedevri/darktable/src/views/darkroom.c:1882 #4 0x7fd6409ad45e in dt_view_manager_button_released /home/lebedevri/darktable/src/views/view.c:569 #5 0x7fd64096918c in button_released /home/lebedevri/darktable/src/gui/gtk.c:665 ... 0x60e00013d4b4 is located 148 bytes inside of 160-byte region [0x60e00013d420,0x60e00013d4c0) freed by thread T0 here: #0 0x7fd640c890da in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x940da) #1 0x7fd640935982 in dt_masks_form_remove /home/lebedevri/darktable/src/develop/masks/masks.c:1854 #2 0x7fd6409390c5 in dt_ellipse_events_button_released /home/lebedevri/darktable/src/develop/masks/ellipse.c:433 #3 0x7fd64093a8f1 in dt_group_events_button_released /home/lebedevri/darktable/src/develop/masks/group.c:115 #4 0x7fd64093a8f1 in dt_masks_events_button_released /home/lebedevri/darktable/src/develop/masks/masks.c:1199 #5 0x7fd61b64495c in button_released /home/lebedevri/darktable/src/views/darkroom.c:1882 #6 0x7fd6409ad45e in dt_view_manager_button_released /home/lebedevri/darktable/src/views/view.c:569 #7 0x7fd64096918c in button_released /home/lebedevri/darktable/src/gui/gtk.c:665 #8 0x7fd63ffb5a8c (/usr/lib/x86_64-linux-gnu/libgtk-3.so.0+0x208a8c) previously allocated by thread T0 here: #0 0x7fd640c8937a in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9437a) #1 0x7fd640915ce3 in dt_masks_create /home/lebedevri/darktable/src/develop/masks/masks.c:777 #2 0x7fd61af68c61 in _add_ellipse /home/lebedevri/darktable/src/iop/spots.c:211 #3 0x7fd63ffb5a8c (/usr/lib/x86_64-linux-gnu/libgtk-3.so.0+0x208a8c) SUMMARY: AddressSanitizer: heap-use-after-free /home/lebedevri/darktable/src/develop/masks/ellipse.c:434 dt_ellipse_events_button_released
diff --git a/src/develop/masks/brush.c b/src/develop/masks/brush.c
@@ -1448,8 +1448,8 @@ static int dt_brush_events_button_pressed(struct dt_iop_module_t *module, float
     }
 
     // we remove the shape
-    dt_masks_form_remove(module, dt_masks_get_from_id(darktable.develop, parentid), form);
     dt_dev_masks_list_remove(darktable.develop, form->formid, parentid);
+    dt_masks_form_remove(module, dt_masks_get_from_id(darktable.develop, parentid), form);
     return 1;
   }
 
diff --git a/src/develop/masks/circle.c b/src/develop/masks/circle.c
@@ -271,8 +271,8 @@ static int dt_circle_events_button_released(struct dt_iop_module_t *module, floa
     }
 
     // we remove the shape
-    dt_masks_form_remove(module, dt_masks_get_from_id(darktable.develop, parentid), form);
     dt_dev_masks_list_remove(darktable.develop, form->formid, parentid);
+    dt_masks_form_remove(module, dt_masks_get_from_id(darktable.develop, parentid), form);
     return 1;
   }
   if(gui->form_dragging)
diff --git a/src/develop/masks/ellipse.c b/src/develop/masks/ellipse.c
@@ -430,8 +430,8 @@ static int dt_ellipse_events_button_released(struct dt_iop_module_t *module, flo
     }
 
     // we remove the shape
-    dt_masks_form_remove(module, dt_masks_get_from_id(darktable.develop, parentid), form);
     dt_dev_masks_list_remove(darktable.develop, form->formid, parentid);
+    dt_masks_form_remove(module, dt_masks_get_from_id(darktable.develop, parentid), form);
     return 1;
   }
   if(gui->form_dragging)
diff --git a/src/develop/masks/gradient.c b/src/develop/masks/gradient.c
@@ -222,8 +222,8 @@ static int dt_gradient_events_button_released(struct dt_iop_module_t *module, fl
     }
 
     // we remove the shape
-    dt_masks_form_remove(module, dt_masks_get_from_id(darktable.develop, parentid), form);
     dt_dev_masks_list_remove(darktable.develop, form->formid, parentid);
+    dt_masks_form_remove(module, dt_masks_get_from_id(darktable.develop, parentid), form);
     return 1;
   }
 
diff --git a/src/develop/masks/path.c b/src/develop/masks/path.c
@@ -1238,8 +1238,8 @@ static int dt_path_events_button_pressed(struct dt_iop_module_t *module, float p
     }
 
     // we remove the shape
-    dt_masks_form_remove(module, dt_masks_get_from_id(darktable.develop, parentid), form);
     dt_dev_masks_list_remove(darktable.develop, form->formid, parentid);
+    dt_masks_form_remove(module, dt_masks_get_from_id(darktable.develop, parentid), form);
     return 1;
   }
 

Original file line number	Diff line number	Diff line change
`@@ -1448,8 +1448,8 @@ static int dt_brush_events_button_pressed(struct dt_iop_module_t *module, float`
`1448`	`1448`	`}`
`1449`	`1449`
`1450`	`1450`	`// we remove the shape`
`1451`		`- dt_masks_form_remove(module, dt_masks_get_from_id(darktable.develop, parentid), form);`
`1452`	`1451`	`dt_dev_masks_list_remove(darktable.develop, form->formid, parentid);`
	`1452`	`+ dt_masks_form_remove(module, dt_masks_get_from_id(darktable.develop, parentid), form);`
`1453`	`1453`	`return 1;`
`1454`	`1454`	`}`
`1455`	`1455`
Original file line number	Diff line number	Diff line change
`@@ -271,8 +271,8 @@ static int dt_circle_events_button_released(struct dt_iop_module_t *module, floa`
`271`	`271`	`}`
`272`	`272`
`273`	`273`	`// we remove the shape`
`274`		`- dt_masks_form_remove(module, dt_masks_get_from_id(darktable.develop, parentid), form);`
`275`	`274`	`dt_dev_masks_list_remove(darktable.develop, form->formid, parentid);`
	`275`	`+ dt_masks_form_remove(module, dt_masks_get_from_id(darktable.develop, parentid), form);`
`276`	`276`	`return 1;`
`277`	`277`	`}`
`278`	`278`	`if(gui->form_dragging)`
Original file line number	Diff line number	Diff line change
`@@ -430,8 +430,8 @@ static int dt_ellipse_events_button_released(struct dt_iop_module_t *module, flo`
`430`	`430`	`}`
`431`	`431`
`432`	`432`	`// we remove the shape`
`433`		`- dt_masks_form_remove(module, dt_masks_get_from_id(darktable.develop, parentid), form);`
`434`	`433`	`dt_dev_masks_list_remove(darktable.develop, form->formid, parentid);`
	`434`	`+ dt_masks_form_remove(module, dt_masks_get_from_id(darktable.develop, parentid), form);`
`435`	`435`	`return 1;`
`436`	`436`	`}`
`437`	`437`	`if(gui->form_dragging)`
Original file line number	Diff line number	Diff line change
`@@ -222,8 +222,8 @@ static int dt_gradient_events_button_released(struct dt_iop_module_t *module, fl`
`222`	`222`	`}`
`223`	`223`
`224`	`224`	`// we remove the shape`
`225`		`- dt_masks_form_remove(module, dt_masks_get_from_id(darktable.develop, parentid), form);`
`226`	`225`	`dt_dev_masks_list_remove(darktable.develop, form->formid, parentid);`
	`226`	`+ dt_masks_form_remove(module, dt_masks_get_from_id(darktable.develop, parentid), form);`
`227`	`227`	`return 1;`
`228`	`228`	`}`
`229`	`229`
Original file line number	Diff line number	Diff line change
`@@ -1238,8 +1238,8 @@ static int dt_path_events_button_pressed(struct dt_iop_module_t *module, float p`
`1238`	`1238`	`}`
`1239`	`1239`
`1240`	`1240`	`// we remove the shape`
`1241`		`- dt_masks_form_remove(module, dt_masks_get_from_id(darktable.develop, parentid), form);`
`1242`	`1241`	`dt_dev_masks_list_remove(darktable.develop, form->formid, parentid);`
	`1242`	`+ dt_masks_form_remove(module, dt_masks_get_from_id(darktable.develop, parentid), form);`
`1243`	`1243`	`return 1;`
`1244`	`1244`	`}`
`1245`	`1245`