From bcb78859bcfe3f1faef1e596a201a637d00be6ae Mon Sep 17 00:00:00 2001
From: Matthias Melcher <git@matthiasm.com>
Date: Fri, 7 Jan 2022 18:03:53 +0100
Subject: Fixed a crash bug in Fluid where partial menus were deleted.

Reading an .fl file rebuilds a menu item arrays with every item read.
If a menu is only partially read, the end marker (label==NULL) is
not set, so that deleting the menu will run beyond the missing marker.
This bug was exposed by adding images to menu items, which
requires additional deletes.
---
 fluid/Fl_Menu_Type.cxx | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 'fluid')

diff --git a/fluid/Fl_Menu_Type.cxx b/fluid/Fl_Menu_Type.cxx
index e52008723..48087e6c3 100644
--- a/fluid/Fl_Menu_Type.cxx
+++ b/fluid/Fl_Menu_Type.cxx
@@ -102,6 +102,11 @@ void Fl_Input_Choice_Type::build_menu() {
     } else {
       if (menusize) delete_dependents((Fl_Menu_Item*)(w->menu()));
     }
+    // Menus are already built during the .fl file reading process, so if the
+    // end of a menu list is not read yet, the end markers (label==NULL) will
+    // not be set, and deleting dependants will randomly free memory.
+    // Clearing the array should avoid that.
+    memset( (void*)w->menu(), 0, menusize * sizeof(Fl_Menu_Item) );
     // fill them all in:
     Fl_Menu_Item* m = (Fl_Menu_Item*)(w->menu());
     int lvl = level+1;
@@ -544,6 +549,11 @@ void Fl_Menu_Type::build_menu() {
     } else {
       if (menusize) delete_dependents((Fl_Menu_Item*)(w->menu()));
     }
+    // Menus are already built during the .fl file reading process, so if the
+    // end of a menu list is not read yet, the end markers (label==NULL) will
+    // not be set, and deleting dependants will randomly free memory.
+    // Clearing the array should avoid that.
+    memset( (void*)w->menu(), 0, menusize * sizeof(Fl_Menu_Item) );
     // fill them all in:
     Fl_Menu_Item* m = (Fl_Menu_Item*)(w->menu());
     int lvl = level+1;
-- 
cgit v1.2.3