WeakReferenceable: Clear fUseCount when it is 1.

Otherwise, if there are remaining weak references, they could potentially try to acquire the object and trigger a use-after-free.
2023-01-31 22:36:59 -05:00 · 2023-01-31 22:36:59 -05:00 · 5d41cee816
commit 5d41cee816
parent b956691cdd
2 changed files with 6 additions and 1 deletions
--- a/headers/private/shared/WeakReferenceable.h
+++ b/headers/private/shared/WeakReferenceable.h
@ -30,6 +30,8 @@ public:
 			void				GetUnchecked();

 private:
+			friend class BWeakReferenceable;
+
 			int32				fUseCount;
 			BWeakReferenceable*	fObject;
 };
--- a/src/kits/shared/WeakReferenceable.cpp
+++ b/src/kits/shared/WeakReferenceable.cpp
@ -79,7 +79,10 @@ BWeakReferenceable::BWeakReferenceable()

 BWeakReferenceable::~BWeakReferenceable()
 {
-	if (fPointer->UseCount() != 0 && fPointer->UseCount() != 1) {
+	if (fPointer->UseCount() == 1)
+		atomic_test_and_set(&fPointer->fUseCount, 0, 1);
+
+	if (fPointer->UseCount() != 0) {
 		char message[256];
 		snprintf(message, sizeof(message), "deleting referenceable object %p with "
 			"reference count (%" B_PRId32 ")", this, fPointer->UseCount());