From eb8a419ac78899f2a346065d1baeaa47fb550e8c Mon Sep 17 00:00:00 2001 From: reuk Date: Tue, 8 Feb 2022 17:01:23 +0000 Subject: [PATCH] TooltipWindow: Avoid potential use-after-free of lastComponentUnderMouse Showing the tip will in turn call getDesktopScaleFactor(), accessing the lastComponentUnderMouse. In some cases, it was possible for lastComponentUnderMouse to point to a deleted component, resulting in UB. There are two changes in this PR: - Using a SafePointer rather than a raw pointer ensures that calls to getDesktopScaleFactor() will always be safe, regardless of when they happen. - Moving the assignment of lastComponentUnderMouse to before the call to displayTipInternal() ensures that the returned scale factor is that of the component that the mouse is currently hovering. --- modules/juce_gui_basics/windows/juce_TooltipWindow.cpp | 6 +++--- modules/juce_gui_basics/windows/juce_TooltipWindow.h | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/juce_gui_basics/windows/juce_TooltipWindow.cpp b/modules/juce_gui_basics/windows/juce_TooltipWindow.cpp index 8f1eb5de63..86435e0f80 100644 --- a/modules/juce_gui_basics/windows/juce_TooltipWindow.cpp +++ b/modules/juce_gui_basics/windows/juce_TooltipWindow.cpp @@ -218,6 +218,9 @@ void TooltipWindow::timerCallback() const auto tipChanged = (newTip != lastTipUnderMouse || newComp != lastComponentUnderMouse); const auto now = Time::getApproximateMillisecondCounter(); + lastComponentUnderMouse = newComp; + lastTipUnderMouse = newTip; + if (tipChanged || dismissalMouseEventOccurred || mouseMovedQuickly) lastCompChangeTime = now; @@ -246,9 +249,6 @@ void TooltipWindow::timerCallback() showTip(); } } - - lastComponentUnderMouse = newComp; - lastTipUnderMouse = newTip; } } diff --git a/modules/juce_gui_basics/windows/juce_TooltipWindow.h b/modules/juce_gui_basics/windows/juce_TooltipWindow.h index 72deb74a96..34e27fbd24 100644 --- a/modules/juce_gui_basics/windows/juce_TooltipWindow.h +++ b/modules/juce_gui_basics/windows/juce_TooltipWindow.h @@ -136,7 +136,7 @@ public: private: //============================================================================== Point lastMousePos; - Component* lastComponentUnderMouse = nullptr; + SafePointer lastComponentUnderMouse; String tipShowing, lastTipUnderMouse, manuallyShownTip; int millisecondsBeforeTipAppears; unsigned int lastCompChangeTime = 0, lastHideTime = 0;