Skip to content

Commit df6b004

Browse files
bgilbertbgilbert
committed
Fix narrow use-after-free races in OpenSlideFFM
When OpenSlide returns a pointer to a structure inside the openslide_t, we need to hold the OpenSlideRef lock until we're done copying out the returned data. This prevents another thread from closing the openslide_t out from under us. Fixes: 6d10501 ("Push locking down into OpenSlideFFM") Signed-off-by: Benjamin Gilbert <[email protected]>
1 parent cf0fc71 commit df6b004

File tree

1 file changed

+34
-26
lines changed

1 file changed

+34
-26
lines changed

org/openslide/OpenSlideFFM.java

Lines changed: 34 additions & 26 deletions
Original file line numberDiff line numberDiff line change
@@ -356,14 +356,16 @@ static void openslide_read_icc_profile(OpenSlideRef osr, byte dest[]) {
356356
static String openslide_get_error(OpenSlideRef osr) {
357357
MemorySegment ret;
358358
try (Ref.ScopedLock l = osr.lock()) {
359-
ret = (MemorySegment) get_error.invokeExact(osr.getSegment());
360-
} catch (Throwable ex) {
361-
throw wrapException(ex);
362-
}
363-
if (ret.equals(MemorySegment.NULL)) {
364-
return null;
359+
try {
360+
ret = (MemorySegment) get_error.invokeExact(osr.getSegment());
361+
} catch (Throwable ex) {
362+
throw wrapException(ex);
363+
}
364+
if (ret.equals(MemorySegment.NULL)) {
365+
return null;
366+
}
367+
return ret.getString(0);
365368
}
366-
return ret.getString(0);
367369
}
368370

369371
private static final MethodHandle get_property_names = function(
@@ -372,29 +374,33 @@ static String openslide_get_error(OpenSlideRef osr) {
372374
static String[] openslide_get_property_names(OpenSlideRef osr) {
373375
MemorySegment ret;
374376
try (Ref.ScopedLock l = osr.lock()) {
375-
ret = (MemorySegment) get_property_names.invokeExact(
376-
osr.getSegment());
377-
} catch (Throwable ex) {
378-
throw wrapException(ex);
377+
try {
378+
ret = (MemorySegment) get_property_names.invokeExact(
379+
osr.getSegment());
380+
} catch (Throwable ex) {
381+
throw wrapException(ex);
382+
}
383+
return segment_to_string_array(ret);
379384
}
380-
return segment_to_string_array(ret);
381385
}
382386

383387
private static final MethodHandle get_property_value = function(
384388
C_POINTER, "openslide_get_property_value", C_POINTER, C_POINTER);
385389

386390
static String openslide_get_property_value(OpenSlideRef osr, String name) {
387391
MemorySegment ret;
388-
try (Arena arena = Arena.ofConfined(); Ref.ScopedLock l = osr.lock()) {
389-
ret = (MemorySegment) get_property_value.invokeExact(
390-
osr.getSegment(), arena.allocateFrom(name));
391-
} catch (Throwable ex) {
392-
throw wrapException(ex);
393-
}
394-
if (ret.equals(MemorySegment.NULL)) {
395-
return null;
392+
try (Ref.ScopedLock l = osr.lock()) {
393+
try (Arena arena = Arena.ofConfined()) {
394+
ret = (MemorySegment) get_property_value.invokeExact(
395+
osr.getSegment(), arena.allocateFrom(name));
396+
} catch (Throwable ex) {
397+
throw wrapException(ex);
398+
}
399+
if (ret.equals(MemorySegment.NULL)) {
400+
return null;
401+
}
402+
return ret.getString(0);
396403
}
397-
return ret.getString(0);
398404
}
399405

400406
private static final MethodHandle get_associated_image_names = function(
@@ -403,12 +409,14 @@ static String openslide_get_property_value(OpenSlideRef osr, String name) {
403409
static String[] openslide_get_associated_image_names(OpenSlideRef osr) {
404410
MemorySegment ret;
405411
try (Ref.ScopedLock l = osr.lock()) {
406-
ret = (MemorySegment) get_associated_image_names.invokeExact(
407-
osr.getSegment());
408-
} catch (Throwable ex) {
409-
throw wrapException(ex);
412+
try {
413+
ret = (MemorySegment) get_associated_image_names.invokeExact(
414+
osr.getSegment());
415+
} catch (Throwable ex) {
416+
throw wrapException(ex);
417+
}
418+
return segment_to_string_array(ret);
410419
}
411-
return segment_to_string_array(ret);
412420
}
413421

414422
private static final MethodHandle get_associated_image_dimensions = function(

0 commit comments

Comments
 (0)