haiku.git

author	Augustin Cavalier <waddlesplash@gmail.com>	2025-03-21 11:54:37.0 -04:00:00
committer	Augustin Cavalier <waddlesplash@gmail.com>	2025-03-21 11:54:37.0 -04:00:00
commit	c6f736315a340d95f94812ada322b2de35f44407 [patch]
tree	892c2fd1d87a4b04abff857f46b9f519bf504a9e
parent	aa2b9830e1f7089ed05a880bc8404f4947539aca
download	c6f736315a340d95f94812ada322b2de35f44407.tar.gz

BSlider: Copy the UpdateText inside UpdateTextChanged.

We can't rely on it not changing between calls, especially as
MaxUpdateTextWidth() changes the value and re-gets it, and
that's called at the end of this method always. So we need to
keep our own copy rather than using the one that's owned by
the subclass.

Fixes a use-after-free uncovered by the guarded heap in VolumeSlider,
reported in #19493.

Diff

 headers/os/interface/Slider.h | 2 +-
 src/kits/interface/Slider.cpp | 5 +++++
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/headers/os/interface/Slider.h b/headers/os/interface/Slider.h
index 5f28d3d..225679b 100644
--- a/headers/os/interface/Slider.h
+++ b/headers/os/interface/Slider.h
@@ -201,7 +201,7 @@

			char*				fMinLimitLabel;
			char*				fMaxLimitLabel;
			const char*			fUpdateText;
			char*				fUpdateText;

			int32 				fMinValue;
			int32 				fMaxValue;
diff --git a/src/kits/interface/Slider.cpp b/src/kits/interface/Slider.cpp
index 270239d..b53a56a 100644
--- a/src/kits/interface/Slider.cpp
+++ b/src/kits/interface/Slider.cpp
@@ -208,6 +208,7 @@
#endif

	delete fModificationMessage;
	free(fUpdateText);
	free(fMinLimitLabel);
	free(fMaxLimitLabel);
}
@@ -1054,7 +1055,9 @@
		oldWidth = StringWidth(fUpdateText);

	const char* oldUpdateText = fUpdateText;
	fUpdateText = UpdateText();
	free(fUpdateText);

	fUpdateText = strdup(UpdateText());
	bool updateTextOnOff = (fUpdateText == NULL && oldUpdateText != NULL)
		|| (fUpdateText != NULL && oldUpdateText == NULL);