[PATCH] Prevent gaschange tank icons from using garbage coords.

Thu Dec 3 21:42:23 PST 2015

Tank icons were shown at incorrect spots on the profile
when the DiveEventItem object held a pointer to a struct
event even after the struct event at that address had
been freed.  When internalEvent is a pointer to freed
memory, internalEvent->time.seconds could have all kinds
of crazy values, which get used in member function
DiveEventItem::recalculatePos to place the tank at bad
x coordinates.

The DiveEventItem(s) no longer store a pointer to memory
that they do not own.  This way, no matter how the path of
execution arrives into slot recalculatePos, we never need
fear that the DiveEventItem will dereference a garbage
pointer to a struct event.

Fixes #968

Signed-off-by: K. Heller <pestophagous at gmail.com>
---
 profile-widget/diveeventitem.cpp |  8 +++++++-
 profile-widget/diveeventitem.h   |  1 +
 subsurface-core/dive.c           | 20 +++++++++++++++++---
 subsurface-core/dive.h           |  1 +
 4 files changed, 26 insertions(+), 4 deletions(-)

diff --git a/profile-widget/diveeventitem.cpp b/profile-widget/diveeventitem.cpp
index 0bbc842..083c8b5 100644
--- a/profile-widget/diveeventitem.cpp
+++ b/profile-widget/diveeventitem.cpp
@@ -19,6 +19,10 @@ DiveEventItem::DiveEventItem(QObject *parent) : DivePixmapItem(parent),
 	setFlag(ItemIgnoresTransformations);
 }
 
+DiveEventItem::~DiveEventItem()
+{
+	free(internalEvent);
+}
 
 void DiveEventItem::setHorizontalAxis(DiveCartesianAxis *axis)
 {
@@ -48,7 +52,9 @@ void DiveEventItem::setEvent(struct event *ev)
 {
 	if (!ev)
 		return;
-	internalEvent = ev;
+
+	free(internalEvent);
+	internalEvent = clone_event(ev);
 	setupPixmap();
 	setupToolTipString();
 	recalculatePos(true);
diff --git a/profile-widget/diveeventitem.h b/profile-widget/diveeventitem.h
index f358fee..9d6ad5d 100644
--- a/profile-widget/diveeventitem.h
+++ b/profile-widget/diveeventitem.h
@@ -11,6 +11,7 @@ class DiveEventItem : public DivePixmapItem {
 	Q_OBJECT
 public:
 	DiveEventItem(QObject *parent = 0);
+	virtual ~DiveEventItem();
 	void setEvent(struct event *ev);
 	struct event *getEvent();
 	void eventVisibilityChanged(const QString &eventName, bool visible);
diff --git a/subsurface-core/dive.c b/subsurface-core/dive.c
index 52175db..46129b8 100644
--- a/subsurface-core/dive.c
+++ b/subsurface-core/dive.c
@@ -525,6 +525,22 @@ void selective_copy_dive(struct dive *s, struct dive *d, struct dive_components
 }
 #undef CONDITIONAL_COPY_STRING
 
+struct event *clone_event(const struct event *src_ev)
+{
+	struct event *ev;
+	if (!src_ev)
+		return NULL;
+
+	size_t size = sizeof(*src_ev) + strlen(src_ev->name) + 1;
+	ev = (struct event*) malloc(size);
+	if (!ev)
+		exit(1);
+	memcpy(ev, src_ev, size);
+	ev->next = NULL;
+
+	return ev;
+}
+
 /* copies all events in this dive computer */
 void copy_events(struct divecomputer *s, struct divecomputer *d)
 {
@@ -534,9 +550,7 @@ void copy_events(struct divecomputer *s, struct divecomputer *d)
 	ev = s->events;
 	pev = &d->events;
 	while (ev != NULL) {
-		int size = sizeof(*ev) + strlen(ev->name) + 1;
-		struct event *new_ev = malloc(size);
-		memcpy(new_ev, ev, size);
+		struct event *new_ev = clone_event(ev);
 		*pev = new_ev;
 		pev = &new_ev->next;
 		ev = ev->next;
diff --git a/subsurface-core/dive.h b/subsurface-core/dive.h
index 3ff262e..ff7dbd2 100644
--- a/subsurface-core/dive.h
+++ b/subsurface-core/dive.h
@@ -726,6 +726,7 @@ extern int split_dive(struct dive *);
 extern struct dive *merge_dives(struct dive *a, struct dive *b, int offset, bool prefer_downloaded);
 extern struct dive *try_to_merge(struct dive *a, struct dive *b, bool prefer_downloaded);
 extern void renumber_dives(int start_nr, bool selected_only);
+extern struct event *clone_event(const struct event *src_ev);
 extern void copy_events(struct divecomputer *s, struct divecomputer *d);
 extern void free_events(struct event *ev);
 extern void copy_cylinders(struct dive *s, struct dive *d, bool used_only);
-- 
2.5.0

