From c6d5ca1771dba3c78c243c4a9e1c0613f17c2497 Mon Sep 17 00:00:00 2001 From: Milos Tijanic Date: Mon, 30 Oct 2023 19:34:58 +0100 Subject: [PATCH 1/4] Fix null deref in nk_group_scrolled_offset_begin --- clib.json | 2 +- nuklear.h | 10 +++++++++- src/CHANGELOG | 1 + 3 files changed, 11 insertions(+), 2 deletions(-) diff --git a/clib.json b/clib.json index cf690c789..e83c57bd8 100644 --- a/clib.json +++ b/clib.json @@ -1,6 +1,6 @@ { "name": "nuklear", - "version": "4.10.6", + "version": "4.10.7", "repo": "Immediate-Mode-UI/Nuklear", "description": "A small ANSI C gui toolkit", "keywords": ["gl", "ui", "toolkit"], diff --git a/nuklear.h b/nuklear.h index c2edb75a0..face1d105 100644 --- a/nuklear.h +++ b/nuklear.h @@ -22827,7 +22827,15 @@ nk_group_begin_titled(struct nk_context *ctx, const char *id, NK_ASSERT(y_offset); if (!x_offset || !y_offset) return 0; *x_offset = *y_offset = 0; - } else y_offset = nk_find_value(win, id_hash+1); + } else { + y_offset = nk_find_value(win, id_hash+1); + if (!y_offset) { + y_offset = nk_add_value(ctx, win, id_hash+1, 0); + NK_ASSERT(y_offset); + if (!y_offset) return 0; + *y_offset = 0; + } + } return nk_group_scrolled_offset_begin(ctx, x_offset, y_offset, title, flags); } NK_API nk_bool diff --git a/src/CHANGELOG b/src/CHANGELOG index 9c8c65748..d1fabcc34 100644 --- a/src/CHANGELOG +++ b/src/CHANGELOG @@ -7,6 +7,7 @@ /// - [y]: Minor version with non-breaking API and library changes /// - [z]: Patch version with no direct changes to the API /// +/// - 2023/10/30 (4.10.7) - Fix null pointer dereference in nk_group_scrolled_offset_begin() /// - 2022/12/23 (4.10.6) - Fix incorrect glyph index in nk_font_bake() /// - 2022/12/17 (4.10.5) - Fix nk_font_bake_pack() using TTC font offset incorrectly /// - 2022/10/24 (4.10.4) - Fix nk_str_{append,insert}_str_utf8 always returning 0 From b0ec2cb1bf295cc3b8cca0cf6c542c55c6ac9c05 Mon Sep 17 00:00:00 2001 From: mtijanic Date: Fri, 3 Nov 2023 14:35:38 +0100 Subject: [PATCH 2/4] Fix other instances of same null deref pattern with y_offset --- nuklear.h | 30 +++++++++++++++++++++++++++--- 1 file changed, 27 insertions(+), 3 deletions(-) diff --git a/nuklear.h b/nuklear.h index face1d105..81363e01d 100644 --- a/nuklear.h +++ b/nuklear.h @@ -22877,7 +22877,15 @@ nk_group_get_scroll(struct nk_context *ctx, const char *id, nk_uint *x_offset, n NK_ASSERT(y_offset_ptr); if (!x_offset_ptr || !y_offset_ptr) return; *x_offset_ptr = *y_offset_ptr = 0; - } else y_offset_ptr = nk_find_value(win, id_hash+1); + } else { + y_offset_ptr = nk_find_value(win, id_hash+1); + if (!y_offset_ptr) { + y_offset_ptr = nk_add_value(ctx, win, id_hash+1, 0); + NK_ASSERT(y_offset_ptr); + if (!y_offset_ptr) return; + *y_offset_ptr = 0; + } + } if (x_offset) *x_offset = *x_offset_ptr; if (y_offset) @@ -22912,7 +22920,15 @@ nk_group_set_scroll(struct nk_context *ctx, const char *id, nk_uint x_offset, nk NK_ASSERT(y_offset_ptr); if (!x_offset_ptr || !y_offset_ptr) return; *x_offset_ptr = *y_offset_ptr = 0; - } else y_offset_ptr = nk_find_value(win, id_hash+1); + } else { + y_offset_ptr = nk_find_value(win, id_hash+1); + if (!y_offset_ptr) { + y_offset_ptr = nk_add_value(ctx, win, id_hash+1, 0); + NK_ASSERT(y_offset_ptr); + if (!y_offset_ptr) return; + *y_offset_ptr = 0; + } + } *x_offset_ptr = x_offset; *y_offset_ptr = y_offset; } @@ -22962,7 +22978,15 @@ nk_list_view_begin(struct nk_context *ctx, struct nk_list_view *view, NK_ASSERT(y_offset); if (!x_offset || !y_offset) return 0; *x_offset = *y_offset = 0; - } else y_offset = nk_find_value(win, title_hash+1); + } else { + y_offset = nk_find_value(win, title_hash+1); + if (!y_offset) { + y_offset = nk_add_value(ctx, win, title_hash+1, 0); + NK_ASSERT(y_offset); + if (!y_offset) return 0; + *y_offset = 0; + } + } view->scroll_value = *y_offset; view->scroll_pointer = y_offset; From 3e7c372d83f1ce162dcc310b33ca0571d5dfd700 Mon Sep 17 00:00:00 2001 From: mtijanic Date: Fri, 3 Nov 2023 14:42:52 +0100 Subject: [PATCH 3/4] Apply y_offset nullptr deref fix to src/ as well --- src/nuklear_group.c | 30 +++++++++++++++++++++++++++--- src/nuklear_list_view.c | 10 +++++++++- 2 files changed, 36 insertions(+), 4 deletions(-) diff --git a/src/nuklear_group.c b/src/nuklear_group.c index e5ef72d5f..e5a6e13ab 100644 --- a/src/nuklear_group.c +++ b/src/nuklear_group.c @@ -153,7 +153,15 @@ nk_group_begin_titled(struct nk_context *ctx, const char *id, NK_ASSERT(y_offset); if (!x_offset || !y_offset) return 0; *x_offset = *y_offset = 0; - } else y_offset = nk_find_value(win, id_hash+1); + } else { + y_offset = nk_find_value(win, id_hash+1); + if (!y_offset) { + y_offset = nk_add_value(ctx, win, id_hash+1, 0); + NK_ASSERT(y_offset); + if (!y_offset) return 0; + *y_offset = 0; + } + } return nk_group_scrolled_offset_begin(ctx, x_offset, y_offset, title, flags); } NK_API nk_bool @@ -195,7 +203,15 @@ nk_group_get_scroll(struct nk_context *ctx, const char *id, nk_uint *x_offset, n NK_ASSERT(y_offset_ptr); if (!x_offset_ptr || !y_offset_ptr) return; *x_offset_ptr = *y_offset_ptr = 0; - } else y_offset_ptr = nk_find_value(win, id_hash+1); + } else { + y_offset_ptr = nk_find_value(win, id_hash+1); + if (!y_offset_ptr) { + y_offset_ptr = nk_add_value(ctx, win, id_hash+1, 0); + NK_ASSERT(y_offset_ptr); + if (!y_offset_ptr) return; + *y_offset_ptr = 0; + } + } if (x_offset) *x_offset = *x_offset_ptr; if (y_offset) @@ -230,7 +246,15 @@ nk_group_set_scroll(struct nk_context *ctx, const char *id, nk_uint x_offset, nk NK_ASSERT(y_offset_ptr); if (!x_offset_ptr || !y_offset_ptr) return; *x_offset_ptr = *y_offset_ptr = 0; - } else y_offset_ptr = nk_find_value(win, id_hash+1); + } else { + y_offset_ptr = nk_find_value(win, id_hash+1); + if (!y_offset_ptr) { + y_offset_ptr = nk_add_value(ctx, win, id_hash+1, 0); + NK_ASSERT(y_offset_ptr); + if (!y_offset_ptr) return; + *y_offset_ptr = 0; + } + } *x_offset_ptr = x_offset; *y_offset_ptr = y_offset; } diff --git a/src/nuklear_list_view.c b/src/nuklear_list_view.c index 38336a558..1688e3eb1 100644 --- a/src/nuklear_list_view.c +++ b/src/nuklear_list_view.c @@ -43,7 +43,15 @@ nk_list_view_begin(struct nk_context *ctx, struct nk_list_view *view, NK_ASSERT(y_offset); if (!x_offset || !y_offset) return 0; *x_offset = *y_offset = 0; - } else y_offset = nk_find_value(win, title_hash+1); + } else { + y_offset = nk_find_value(win, title_hash+1); + if (!y_offset) { + y_offset = nk_add_value(ctx, win, title_hash+1, 0); + NK_ASSERT(y_offset); + if (!y_offset) return 0; + *y_offset = 0; + } + } view->scroll_value = *y_offset; view->scroll_pointer = y_offset; From 6af0db2458e5fc15b488ab46283ba6303185a2a3 Mon Sep 17 00:00:00 2001 From: mtijanic Date: Fri, 3 Nov 2023 14:45:05 +0100 Subject: [PATCH 4/4] Changelog update for more accurate description of the y_offset nullptr deref fix --- nuklear.h | 1 + src/CHANGELOG | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/nuklear.h b/nuklear.h index 81363e01d..9b06398ee 100644 --- a/nuklear.h +++ b/nuklear.h @@ -29741,6 +29741,7 @@ nk_tooltipfv(struct nk_context *ctx, const char *fmt, va_list args) /// - [y]: Minor version with non-breaking API and library changes /// - [z]: Patch version with no direct changes to the API /// +/// - 2023/11/03 (4.10.7) - Fix null pointer dereference with nk_group and nk_listview scroll offsets /// - 2022/12/23 (4.10.6) - Fix incorrect glyph index in nk_font_bake() /// - 2022/12/17 (4.10.5) - Fix nk_font_bake_pack() using TTC font offset incorrectly /// - 2022/10/24 (4.10.4) - Fix nk_str_{append,insert}_str_utf8 always returning 0 diff --git a/src/CHANGELOG b/src/CHANGELOG index d1fabcc34..09eebad1d 100644 --- a/src/CHANGELOG +++ b/src/CHANGELOG @@ -7,7 +7,7 @@ /// - [y]: Minor version with non-breaking API and library changes /// - [z]: Patch version with no direct changes to the API /// -/// - 2023/10/30 (4.10.7) - Fix null pointer dereference in nk_group_scrolled_offset_begin() +/// - 2023/11/03 (4.10.7) - Fix null pointer dereference with nk_group and nk_listview scroll offsets /// - 2022/12/23 (4.10.6) - Fix incorrect glyph index in nk_font_bake() /// - 2022/12/17 (4.10.5) - Fix nk_font_bake_pack() using TTC font offset incorrectly /// - 2022/10/24 (4.10.4) - Fix nk_str_{append,insert}_str_utf8 always returning 0