From e617c6d551e4ecd42870b0dce443ffb5500ad01f Mon Sep 17 00:00:00 2001 From: Povilas Kanapickas Date: Mon, 18 Jul 2022 12:53:34 +0300 Subject: [PATCH] viewer: Fix double free caused by ScrollView::MessageReceiver waiting_for_events takes ownership of the passed event which is later deleted. Since we use unique_ptr::get() to acquire the pointer, we cause double free: one free happens in the code path where the event from waiting_for_events goes and the other free happens in unique_ptr destructor. The fix is to move ownership out of unique_ptr by unique_ptr::release(). Fixes: https://github.com/tesseract-ocr/tesseract/issues/3869 Fixes: 37b33749da56f5762346e16d0cc843460caacdb5 --- src/viewer/scrollview.cpp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/viewer/scrollview.cpp b/src/viewer/scrollview.cpp index 7a9afebb48..3e3517b638 100644 --- a/src/viewer/scrollview.cpp +++ b/src/viewer/scrollview.cpp @@ -158,13 +158,13 @@ void ScrollView::MessageReceiver() { SVET_ANY); waiting_for_events_mu->lock(); if (waiting_for_events.count(awaiting_list) > 0) { - waiting_for_events[awaiting_list].second = cur.get(); + waiting_for_events[awaiting_list].second = cur.release(); waiting_for_events[awaiting_list].first->Signal(); } else if (waiting_for_events.count(awaiting_list_any) > 0) { - waiting_for_events[awaiting_list_any].second = cur.get(); + waiting_for_events[awaiting_list_any].second = cur.release(); waiting_for_events[awaiting_list_any].first->Signal(); } else if (waiting_for_events.count(awaiting_list_any_window) > 0) { - waiting_for_events[awaiting_list_any_window].second = cur.get(); + waiting_for_events[awaiting_list_any_window].second = cur.release(); waiting_for_events[awaiting_list_any_window].first->Signal(); } waiting_for_events_mu->unlock();