mirror/OpenMW
1
0
Fork 0
mirror of https://gitlab.com/OpenMW/openmw.git synced 2025-01-25 06:35:30 +00:00
Code Issues Projects Releases Wiki Activity

loadingscreen: Fix UaF in loading screen.

Browse Source 
When the CopyFramebufferToTextureCallback callback is called, in its operator() it resets setInitialDrawCallback by providing a NULL pointer.
However, this causes the callback to get deleted. In turn, the "this" pointer is invalidated.
When execution returns to DrawCallback::run, it accesses a _nestedCallback member of deleted "this" which is UB.
This commit is contained in:
Ilya Zhuravlev 2018-12-24 01:50:58 -05:00
parent a037e4c954
commit 8e7c01b561
1 changed files with 2 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
apps/openmw/mwgui/loadingscreen.cpp
View File

@ -141,10 +141,6 @@ namespace MWGui
int w = renderInfo.getCurrentCamera()->getViewport()->width();
int h = renderInfo.getCurrentCamera()->getViewport()->height();
mTexture->copyTexImage2D(*renderInfo.getState(), 0, 0, w, h);
// Callback removes itself when done
if (renderInfo.getCurrentCamera())
renderInfo.getCurrentCamera()->setInitialDrawCallback(nullptr);
}
private:
@ -308,6 +304,8 @@ namespace MWGui
mGuiTexture.reset(new osgMyGUI::OSGTexture(mTexture));
}
// Notice that the next time this is called, the current CopyFramebufferToTextureCallback will be deleted
// so there's no memory leak as at most one object of type CopyFramebufferToTextureCallback is allocated at a time.
mViewer->getCamera()->setInitialDrawCallback(new CopyFramebufferToTextureCallback(mTexture));
mBackgroundImage->setBackgroundImage("");