bug-gnustep
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug #25915] Segfault in -[NSNotificationQueue dealloc]


From: Larry Campbell
Subject: [bug #25915] Segfault in -[NSNotificationQueue dealloc]
Date: Wed, 18 Mar 2009 14:56:08 +0000
User-agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_6; en-us) AppleWebKit/525.27.1 (KHTML, like Gecko) Version/3.2.1 Safari/525.27.1

URL:
  <http://savannah.gnu.org/bugs/?25915>

                 Summary: Segfault in -[NSNotificationQueue dealloc]
                 Project: GNUstep
            Submitted by: lcampbel
            Submitted on: Wed 18 Mar 2009 02:56:06 PM GMT
                Category: Base/Foundation
                Severity: 3 - Normal
              Item Group: Bug
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any

    _______________________________________________________

Details:

-[NSNotificationQueue dealloc] traverses a linked list of
NSNotificationQueueRegistration objects, deleting each object from the queue,
but makes the classic mistake of dereferencing the link to the next object
_after_ the object has been freed.

Here's the fix:

--- NSNotificationQueue.m.orig  2008-06-09 00:05:01.000000000 -0400
+++ NSNotificationQueue.m       2009-03-18 10:51:55.000000000 -0400
@@ -353,6 +353,7 @@
 - (void) dealloc
 {
   NSNotificationQueueRegistration      *item;
+  NSNotificationQueueRegistration       *prev;
 
   /*
    * remove from class instances list
@@ -362,14 +363,16 @@
   /*
    * release self from queues
    */
-  for (item = _asapQueue->head; item; item=item->prev)
+  for (item = _asapQueue->head; item; item=prev)
     {
+      prev = item->prev;
       remove_from_queue(_asapQueue, item, _zone);
     }
   NSZoneFree(_zone, _asapQueue);
 
-  for (item = _idleQueue->head; item; item=item->prev)
+  for (item = _idleQueue->head; item; item=prev)
     {
+      prev = item->prev;
       remove_from_queue(_idleQueue, item, _zone);
     }
   NSZoneFree(_zone, _idleQueue);






    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/bugs/?25915>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/





reply via email to

[Prev in Thread] Current Thread [Next in Thread]