Skip to content
Snippets Groups Projects
Commit 13cc4027 authored by Deucе's avatar Deucе :ok_hand_tone4:
Browse files

Delete one-shot events before running the callback. 

If a callback deletes the one-shot event that invoked it, the
event pointer in the caller would be to free()d memory with
hilarious results.
parent 83f50984
No related branches found
No related tags found
1 merge request!463MRC mods by Codefenix (2024-10-20)
Pipeline #1906 passed
Stage: build
Show whitespace changes
Inline Side-by-side
Showing
with 18 additions and 6 deletions
src/sbbs3/js_internal.c
+ 18
6
View file @ 13cc4027
...@@ -1122,6 +1122,8 @@ js_handle_events(JSContext *cx, js_callback_t *cb, volatile int *terminated) ...@@ -1122,6 +1122,8 @@ js_handle_events(JSContext *cx, js_callback_t *cb, volatile int *terminated)
BOOL input_locked = FALSE; BOOL input_locked = FALSE;
js_socket_private_t* jssp; js_socket_private_t* jssp;
socklen_t slen; socklen_t slen;
JSFunction* evf;
JSObject* evo;
#ifdef PREFER_POLL #ifdef PREFER_POLL
struct pollfd *fds; struct pollfd *fds;
nfds_t sc; nfds_t sc;
...@@ -1369,6 +1371,11 @@ js_handle_events(JSContext *cx, js_callback_t *cb, volatile int *terminated) ...@@ -1369,6 +1371,11 @@ js_handle_events(JSContext *cx, js_callback_t *cb, volatile int *terminated)
} }
} }
else { else {
// Store a copy of object and function pointers
evf = ev->cb;
evo = ev->cx;
JS_AddObjectRoot(cx, &evo);
// Deal with things before running the callback // Deal with things before running the callback
if (ev->type == JS_EVENT_CONSOLE_INPUT) { if (ev->type == JS_EVENT_CONSOLE_INPUT) {
if (input_locked) if (input_locked)
...@@ -1381,17 +1388,13 @@ js_handle_events(JSContext *cx, js_callback_t *cb, volatile int *terminated) ...@@ -1381,17 +1388,13 @@ js_handle_events(JSContext *cx, js_callback_t *cb, volatile int *terminated)
} }
} }
ret = JS_CallFunction(cx, ev->cx, ev->cb, 0, NULL, &rval); // Clean up one-shots before call
// Clean up/update after call
if (ev->type == JS_EVENT_SOCKET_CONNECT) { if (ev->type == JS_EVENT_SOCKET_CONNECT) {
// TODO: call recv() and pass result to callback? // TODO: call recv() and pass result to callback?
closesocket(ev->data.connect.sv[0]); closesocket(ev->data.connect.sv[0]);
} }
else if (ev->type == JS_EVENT_INTERVAL)
ev->data.interval.last += ev->data.interval.period;
// Remove one-shot events // Remove one-shot events before call
if (ev->type == JS_EVENT_SOCKET_READABLE_ONCE || ev->type == JS_EVENT_SOCKET_WRITABLE_ONCE if (ev->type == JS_EVENT_SOCKET_READABLE_ONCE || ev->type == JS_EVENT_SOCKET_WRITABLE_ONCE
|| ev->type == JS_EVENT_SOCKET_CONNECT || ev->type == JS_EVENT_TIMEOUT || ev->type == JS_EVENT_SOCKET_CONNECT || ev->type == JS_EVENT_TIMEOUT
|| ev->type == JS_EVENT_CONSOLE_INPUT_ONCE) { || ev->type == JS_EVENT_CONSOLE_INPUT_ONCE) {
...@@ -1403,6 +1406,15 @@ js_handle_events(JSContext *cx, js_callback_t *cb, volatile int *terminated) ...@@ -1403,6 +1406,15 @@ js_handle_events(JSContext *cx, js_callback_t *cb, volatile int *terminated)
*head = ev->next; *head = ev->next;
JS_RemoveObjectRoot(cx, &ev->cx); JS_RemoveObjectRoot(cx, &ev->cx);
free(ev); free(ev);
ev = NULL;
}
ret = JS_CallFunction(cx, evo, evf, 0, NULL, &rval);
JS_RemoveObjectRoot(cx, &evo);
if (ev) {
if (ev->type == JS_EVENT_INTERVAL)
ev->data.interval.last += ev->data.interval.period;
} }
} }
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment