[Scummvm-git-logs] scummvm master -> a215faf33e56487f330c485edbd1ffce3a2f1afc
dreammaster
noreply at scummvm.org
Sun Sep 14 05:56:41 UTC 2025
This automated email contains information about 1 new commit which have been
pushed to the 'scummvm' repo located at https://api.github.com/repos/scummvm/scummvm .
Summary:
a215faf33e BAGEL: MFC: Fix use-after-free access after DestroyWindow
Commit: a215faf33e56487f330c485edbd1ffce3a2f1afc
https://github.com/scummvm/scummvm/commit/a215faf33e56487f330c485edbd1ffce3a2f1afc
Author: Paul Gilbert (dreammaster at scummvm.org)
Date: 2025-09-13T22:56:23-07:00
Commit Message:
BAGEL: MFC: Fix use-after-free access after DestroyWindow
The default action of views is to destroy themselves, so we
can't set m_pParentWnd to nullptr after calling a child's
DestroyWindow function
Changed paths:
engines/bagel/mfc/wnd.cpp
diff --git a/engines/bagel/mfc/wnd.cpp b/engines/bagel/mfc/wnd.cpp
index 23819e88b14..fb82b6d6391 100644
--- a/engines/bagel/mfc/wnd.cpp
+++ b/engines/bagel/mfc/wnd.cpp
@@ -364,7 +364,6 @@ void CWnd::DestroyWindow() {
for (auto &node : _children) {
CWnd *child = node._value;
child->DestroyWindow();
- child->m_pParentWnd = nullptr;
}
_children.clear();
@@ -380,6 +379,13 @@ void CWnd::DestroyWindow() {
}
SendMessage(WM_DESTROY);
+
+ // Null the m_pParentWnd field, just in case
+ m_pParentWnd = nullptr;
+
+ // Send NCDESTROY. Warning: for at least view classes,
+ // the default PostNcDestroy deletes the view.
+ // So no class fields can be accessed beyond this point
SendMessage(WM_NCDESTROY);
// If it's the active window, pop it
More information about the Scummvm-git-logs
mailing list