From e1668a2919a93a7ce4390fc29661b0b31129be48 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Szymon=20Aceda=C5=84ski?= Date: Sat, 25 Feb 2017 14:48:54 +0100 Subject: [PATCH] Fixed a number of use-after-free bugs with FGPositioneds These were due to converting FGPositionedRef to FGPositioned* and then again packing the pointer into another ref-counted FGPositionedRef. --- src/Navaids/NavDataCache.cxx | 6 +++--- src/Navaids/positioned.cxx | 4 ++-- src/Navaids/positioned.hxx | 2 +- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/src/Navaids/NavDataCache.cxx b/src/Navaids/NavDataCache.cxx index efe600e76..e40894246 100644 --- a/src/Navaids/NavDataCache.cxx +++ b/src/Navaids/NavDataCache.cxx @@ -1706,7 +1706,7 @@ FGPositionedRef NavDataCache::loadById(PositionedID rowid) } sqlite3_int64 aptId; - FGPositioned* pos = d->loadById(rowid, aptId); + FGPositionedRef pos = d->loadById(rowid, aptId); d->cache.insert(it, PositionedCache::value_type(rowid, pos)); d->cacheMisses++; @@ -1933,7 +1933,7 @@ FGPositionedRef NavDataCache::findClosestWithIdent( const string& aIdent, FGPositionedRef result; while (d->stepSelect(d->findClosestWithIdent)) { - FGPositioned* pos = loadById(sqlite3_column_int64(d->findClosestWithIdent, 0)); + FGPositionedRef pos = loadById(sqlite3_column_int64(d->findClosestWithIdent, 0)); if (aFilter && !aFilter->pass(pos)) { continue; } @@ -2073,7 +2073,7 @@ NavDataCache::findCommByFreq(int freqKhz, const SGGeod& aPos, FGPositioned::Filt FGPositionedRef result; while (d->execSelect(d->findCommByFreq)) { - FGPositioned* p = loadById(sqlite3_column_int64(d->findCommByFreq, 0)); + FGPositionedRef p = loadById(sqlite3_column_int64(d->findCommByFreq, 0)); if (aFilter && !aFilter->pass(p)) { continue; } diff --git a/src/Navaids/positioned.cxx b/src/Navaids/positioned.cxx index 689259e89..acfcedf42 100644 --- a/src/Navaids/positioned.cxx +++ b/src/Navaids/positioned.cxx @@ -85,7 +85,7 @@ FGPositioned::~FGPositioned() { } -FGPositioned* +FGPositionedRef FGPositioned::createUserWaypoint(const std::string& aIdent, const SGGeod& aPos) { NavDataCache* cache = NavDataCache::instance(); @@ -93,7 +93,7 @@ FGPositioned::createUserWaypoint(const std::string& aIdent, const SGGeod& aPos) FGPositionedList existing = cache->findAllWithIdent(aIdent, &filter, true); if (!existing.empty()) { SG_LOG(SG_NAVAID, SG_WARN, "attempt to insert duplicate WAYPOINT:" << aIdent); - return existing.front().ptr(); + return existing.front(); } PositionedID id = cache->createPOI(WAYPOINT, aIdent, aPos); diff --git a/src/Navaids/positioned.hxx b/src/Navaids/positioned.hxx index 5187f8ddb..3be97f74a 100644 --- a/src/Navaids/positioned.hxx +++ b/src/Navaids/positioned.hxx @@ -269,7 +269,7 @@ public: */ static const char* nameForType(Type aTy); - static FGPositioned* createUserWaypoint(const std::string& aIdent, const SGGeod& aPos); + static FGPositionedRef createUserWaypoint(const std::string& aIdent, const SGGeod& aPos); static bool deleteUserWaypoint(const std::string& aIdent); protected: friend class flightgear::NavDataCache;