From 493c4210168fa475aa4130c12e8fdff3b7d85c09 Mon Sep 17 00:00:00 2001 From: Philippe Canal Date: Mon, 7 Mar 2022 13:32:37 -0600 Subject: [PATCH] threadsh1: Avoid heap-use-after-free. Previously, the Canvas `Close` signal which triggers a call to the local function `close` which was unconditionally call `Kill` on its associated thread would call it on an already deleted object if the `TThread` was deleted before the `TCanvas`. This fix #10015 (detected by using ASAN). --- tutorials/legacy/thread/threadsh1.C | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/tutorials/legacy/thread/threadsh1.C b/tutorials/legacy/thread/threadsh1.C index b819f5d020..d6abc67e36 100644 --- a/tutorials/legacy/thread/threadsh1.C +++ b/tutorials/legacy/thread/threadsh1.C @@ -67,7 +67,8 @@ void *joiner(void *) void closed(Int_t id) { // kill the thread matching the canvas being closed - t[id]->Kill(); + if (t[id]) + t[id]->Kill(); // and set the canvas pointer to 0 c[id] = 0; } @@ -142,11 +143,11 @@ void threadsh1() t[4]->Join(); TThread::Ps(); - delete t[0]; - delete t[1]; - delete t[2]; - delete t[3]; - delete t[4]; + delete t[0]; t[0] = nullptr; // Prevents after deletion access. + delete t[1]; t[1] = nullptr; + delete t[2]; t[2] = nullptr; + delete t[3]; t[3] = nullptr; + delete t[4]; t[4] = nullptr; delete rng[0]; delete rng[1]; -- 2.35.1