From 493c4210168fa475aa4130c12e8fdff3b7d85c09 Mon Sep 17 00:00:00 2001
From: Philippe Canal <pcanal@fnal.gov>
Date: Mon, 7 Mar 2022 13:32:37 -0600
Subject: [PATCH] threadsh1: Avoid heap-use-after-free.

Previously, the Canvas `Close` signal which triggers a call to the local function `close` which
was unconditionally call `Kill` on its associated thread would call it on an already deleted
object if the `TThread` was deleted before the `TCanvas`.

This fix #10015 (detected by using ASAN).
---
 tutorials/legacy/thread/threadsh1.C | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/tutorials/legacy/thread/threadsh1.C b/tutorials/legacy/thread/threadsh1.C
index b819f5d020..d6abc67e36 100644
--- a/tutorials/legacy/thread/threadsh1.C
+++ b/tutorials/legacy/thread/threadsh1.C
@@ -67,7 +67,8 @@ void *joiner(void *)
 void closed(Int_t id)
 {
    // kill the thread matching the canvas being closed
-   t[id]->Kill();
+   if (t[id])
+      t[id]->Kill();
    // and set the canvas pointer to 0
    c[id] = 0;
 }
@@ -142,11 +143,11 @@ void threadsh1()
    t[4]->Join();
    TThread::Ps();
 
-   delete t[0];
-   delete t[1];
-   delete t[2];
-   delete t[3];
-   delete t[4];
+   delete t[0]; t[0] = nullptr; // Prevents after deletion access.
+   delete t[1]; t[1] = nullptr;
+   delete t[2]; t[2] = nullptr;
+   delete t[3]; t[3] = nullptr;
+   delete t[4]; t[4] = nullptr;
 
    delete rng[0];
    delete rng[1];
-- 
2.35.1