Fixed a number of use-after-free bugs with FGPositioneds

These were due to converting FGPositionedRef to FGPositioned* and then again packing the pointer into another ref-counted FGPositionedRef.
2017-02-25 14:48:54 +01:00 · 2017-02-25 14:48:54 +01:00 · e1668a2919
commit e1668a2919
parent d401a50e0a
3 changed files with 6 additions and 6 deletions
--- a/src/Navaids/NavDataCache.cxx
+++ b/src/Navaids/NavDataCache.cxx
@ -1706,7 +1706,7 @@ FGPositionedRef NavDataCache::loadById(PositionedID rowid)
  }

  sqlite3_int64 aptId;
-  FGPositioned* pos = d->loadById(rowid, aptId);
+  FGPositionedRef pos = d->loadById(rowid, aptId);
  d->cache.insert(it, PositionedCache::value_type(rowid, pos));
  d->cacheMisses++;

@ -1933,7 +1933,7 @@ FGPositionedRef NavDataCache::findClosestWithIdent( const string& aIdent,
  FGPositionedRef result;

  while (d->stepSelect(d->findClosestWithIdent)) {
-    FGPositioned* pos = loadById(sqlite3_column_int64(d->findClosestWithIdent, 0));
+    FGPositionedRef pos = loadById(sqlite3_column_int64(d->findClosestWithIdent, 0));
    if (aFilter && !aFilter->pass(pos)) {
      continue;
    }
@ -2073,7 +2073,7 @@ NavDataCache::findCommByFreq(int freqKhz, const SGGeod& aPos, FGPositioned::Filt
  FGPositionedRef result;

  while (d->execSelect(d->findCommByFreq)) {
-    FGPositioned* p = loadById(sqlite3_column_int64(d->findCommByFreq, 0));
+    FGPositionedRef p = loadById(sqlite3_column_int64(d->findCommByFreq, 0));
    if (aFilter && !aFilter->pass(p)) {
      continue;
    }
--- a/src/Navaids/positioned.cxx
+++ b/src/Navaids/positioned.cxx
@ -85,7 +85,7 @@ FGPositioned::~FGPositioned()
 {
 }

-FGPositioned*
+FGPositionedRef
 FGPositioned::createUserWaypoint(const std::string& aIdent, const SGGeod& aPos)
 {
  NavDataCache* cache = NavDataCache::instance();
@ -93,7 +93,7 @@ FGPositioned::createUserWaypoint(const std::string& aIdent, const SGGeod& aPos)
  FGPositionedList existing = cache->findAllWithIdent(aIdent, &filter, true);
  if (!existing.empty()) {
    SG_LOG(SG_NAVAID, SG_WARN, "attempt to insert duplicate WAYPOINT:" << aIdent);
-    return existing.front().ptr();
+    return existing.front();
  }
  
  PositionedID id = cache->createPOI(WAYPOINT, aIdent, aPos);
--- a/src/Navaids/positioned.hxx
+++ b/src/Navaids/positioned.hxx
@ -269,7 +269,7 @@ public:
   */
  static const char* nameForType(Type aTy);

-  static FGPositioned* createUserWaypoint(const std::string& aIdent, const SGGeod& aPos);
+  static FGPositionedRef createUserWaypoint(const std::string& aIdent, const SGGeod& aPos);
  static bool deleteUserWaypoint(const std::string& aIdent);
 protected:
  friend class flightgear::NavDataCache;