From 2778470b9755af2349a70f127e208750afda7725 Mon Sep 17 00:00:00 2001
From: "K. \\\"pestophagous\\\" Heller" <pestophagous@gmail.com>
Date: Thu, 3 Dec 2015 21:42:23 -0800
Subject: Prevent gaschange tank icons from using garbage coords.

Tank icons were shown at incorrect spots on the profile
when the DiveEventItem object held a pointer to a struct
event even after the struct event at that address had
been freed.  When internalEvent is a pointer to freed
memory, internalEvent->time.seconds could have all kinds
of crazy values, which get used in member function
DiveEventItem::recalculatePos to place the tank at bad
x coordinates.

The DiveEventItem(s) no longer store a pointer to memory
that they do not own.  This way, no matter how the path of
execution arrives into slot recalculatePos, we never need
fear that the DiveEventItem will dereference a garbage
pointer to a struct event.

Fixes #968

Signed-off-by: K. Heller <pestophagous@gmail.com>
Signed-off-by: Dirk Hohndel <dirk@hohndel.org>
---
 subsurface-core/dive.c | 20 +++++++++++++++++---
 subsurface-core/dive.h |  1 +
 2 files changed, 18 insertions(+), 3 deletions(-)

(limited to 'subsurface-core')

diff --git a/subsurface-core/dive.c b/subsurface-core/dive.c
index 52175db71..46129b86a 100644
--- a/subsurface-core/dive.c
+++ b/subsurface-core/dive.c
@@ -525,6 +525,22 @@ void selective_copy_dive(struct dive *s, struct dive *d, struct dive_components
 }
 #undef CONDITIONAL_COPY_STRING
 
+struct event *clone_event(const struct event *src_ev)
+{
+	struct event *ev;
+	if (!src_ev)
+		return NULL;
+
+	size_t size = sizeof(*src_ev) + strlen(src_ev->name) + 1;
+	ev = (struct event*) malloc(size);
+	if (!ev)
+		exit(1);
+	memcpy(ev, src_ev, size);
+	ev->next = NULL;
+
+	return ev;
+}
+
 /* copies all events in this dive computer */
 void copy_events(struct divecomputer *s, struct divecomputer *d)
 {
@@ -534,9 +550,7 @@ void copy_events(struct divecomputer *s, struct divecomputer *d)
 	ev = s->events;
 	pev = &d->events;
 	while (ev != NULL) {
-		int size = sizeof(*ev) + strlen(ev->name) + 1;
-		struct event *new_ev = malloc(size);
-		memcpy(new_ev, ev, size);
+		struct event *new_ev = clone_event(ev);
 		*pev = new_ev;
 		pev = &new_ev->next;
 		ev = ev->next;
diff --git a/subsurface-core/dive.h b/subsurface-core/dive.h
index 3ff262e96..ff7dbd2be 100644
--- a/subsurface-core/dive.h
+++ b/subsurface-core/dive.h
@@ -726,6 +726,7 @@ extern int split_dive(struct dive *);
 extern struct dive *merge_dives(struct dive *a, struct dive *b, int offset, bool prefer_downloaded);
 extern struct dive *try_to_merge(struct dive *a, struct dive *b, bool prefer_downloaded);
 extern void renumber_dives(int start_nr, bool selected_only);
+extern struct event *clone_event(const struct event *src_ev);
 extern void copy_events(struct divecomputer *s, struct divecomputer *d);
 extern void free_events(struct event *ev);
 extern void copy_cylinders(struct dive *s, struct dive *d, bool used_only);
-- 
cgit v1.2.3-70-g09d2