search

Immediate-Mode-UI / Nuklear

A single-header ANSI C immediate mode cross-platform GUI library
https://immediate-mode-ui.github.io/Nuklear/doc/index.html
8.89k stars 533 forks source link

Fix null deref with y_offset in nk_group and nk_listview #584

Open mtijanic opened 8 months ago

mtijanic commented 8 months ago

We hit a rare null deref on y_offset in nk_group_scrolled_offset_begin(), that I think happens like this:

    // snippet from nk_group_begin_titled()

    x_offset = nk_find_value(win, id_hash);
    if (!x_offset) {
        x_offset = nk_add_value(ctx, win, id_hash, 0);
        y_offset = nk_add_value(ctx, win, id_hash+1, 0);
        NK_ASSERT(x_offset);
        NK_ASSERT(y_offset);
        if (!x_offset || !y_offset) return 0;
        *x_offset = *y_offset = 0;
    } else y_offset = nk_find_value(win, id_hash+1);
    return nk_group_scrolled_offset_begin(ctx, x_offset, y_offset, title, flags);

First, we don't find the x_offset, so we go into the if() branch. There, we manage to add x_offset but not y_offset. This causes it to bail early. Then, next frame, it will find x_offset and go into the else branch. There, it fails to find y_offset, and eventually calls into nk_group_scrolled_offset_begin() with y_offset = NULL.

Never got a local repro so can't say for sure if the existing NK_ASSERT(y_offset) was firing, but end user reports that this patch fixes it.

I think this is one of the issues that was reported in #513