try_release_face crashes the program #35
Description
There's a bug in release_font_and_update, which is called by try_release_face, where the code attempts to modify face->id after freeing face.
if (font_set_release_face(&models->font_set, face->id)){ // `face` is now invalid
for (Node *node = models->working_set.active_file_sentinel.next;
node != &models->working_set.active_file_sentinel;
node = node->next){
Editing_File *file = CastFromMember(Editing_File, main_chain_node, node);
if (file->settings.face_id == face->id){ // address violation: `face`
file->settings.face_id = replacement_face->id;
}
}
if (models->global_face_id == face->id){ // address violation: `face`
models->global_face_id = replacement_face->id;
}
success = true;
}
I recommend caching face->id into a variable before releasing it.
Face_ID face_id = face->id;
if (font_set_release_face(&models->font_set, face_id)){
for (Node *node = models->working_set.active_file_sentinel.next;
node != &models->working_set.active_file_sentinel;
node = node->next){
Editing_File *file = CastFromMember(Editing_File, main_chain_node, node);
if (file->settings.face_id == face_id){
file->settings.face_id = replacement_face->id;
}
}
if (models->global_face_id == face_id){
models->global_face_id = replacement_face->id;
}
success = true;
}