From 478b4cdce5c584c294d38f84a0131f239d9af88f Mon Sep 17 00:00:00 2001
From: Yuqian Yang <crupest@crupest.life>
Date: Thu, 20 Nov 2025 03:00:16 +0800
Subject: Fix use after free in render object.

---
 include/cru/ui/render/LayoutRenderObject.h | 21 ++++++++++++++++++---
 include/cru/ui/render/RenderObject.h       |  8 ++++----
 2 files changed, 22 insertions(+), 7 deletions(-)

(limited to 'include/cru/ui')

diff --git a/include/cru/ui/render/LayoutRenderObject.h b/include/cru/ui/render/LayoutRenderObject.h
index 11df0449..c0e4218d 100644
--- a/include/cru/ui/render/LayoutRenderObject.h
+++ b/include/cru/ui/render/LayoutRenderObject.h
@@ -13,6 +13,8 @@ class LayoutRenderObject : public RenderObject {
   struct ChildData {
     RenderObject* render_object;
     ChildLayoutData layout_data;
+    bool render_object_destroyed;
+    EventHandlerRevokerListGuard event_guard;
   };
 
  protected:
@@ -33,21 +35,34 @@ class LayoutRenderObject : public RenderObject {
     if (position < 0) position = 0;
     if (position > GetChildCount()) position = GetChildCount();
     children_.insert(children_.begin() + position,
-                     ChildData{render_object, ChildLayoutData()});
+                     ChildData{render_object, ChildLayoutData(), false});
     render_object->SetParent(this);
+    render_object->DestroyEvent()->AddSpyOnlyHandler([this, render_object] {
+      auto iter = std::ranges::find_if(
+          children_, [render_object](const ChildData& data) {
+            return data.render_object == render_object;
+          });
+      if (iter != children_.cend()) {
+        iter->render_object_destroyed = true;
+      }
+    });
     InvalidateLayout();
   }
 
   void RemoveChild(Index position) {
     Expects(position >= 0 && position < GetChildCount());
-    children_[position].render_object->SetParent(nullptr);
+    if (!children_[position].render_object_destroyed) {
+      children_[position].render_object->SetParent(nullptr);
+    }
     children_.erase(children_.begin() + position);
     InvalidateLayout();
   }
 
   void ClearChildren() {
     for (auto child : children_) {
-      child.render_object->SetParent(nullptr);
+      if (!child.render_object_destroyed) {
+        child.render_object->SetParent(nullptr);
+      }
     }
     children_.clear();
     InvalidateLayout();
diff --git a/include/cru/ui/render/RenderObject.h b/include/cru/ui/render/RenderObject.h
index 4c19ad3e..c7e534a8 100644
--- a/include/cru/ui/render/RenderObject.h
+++ b/include/cru/ui/render/RenderObject.h
@@ -3,6 +3,7 @@
 
 #include "MeasureRequirement.h"
 
+#include <cru/base/Event.h>
 #include <cru/platform/graphics/Painter.h>
 
 namespace cru::ui::render {
@@ -62,11 +63,8 @@ struct BoxConstraint {
 class CRU_UI_API RenderObject : public Object {
   CRU_DEFINE_CLASS_LOG_TAG("RenderObject")
 
- protected:
-  RenderObject() = default;
-
  public:
-  ~RenderObject() override = default;
+  ~RenderObject() override;
 
   controls::Control* GetAttachedControl() const { return control_; }
   void SetAttachedControl(controls::Control* new_control);
@@ -145,6 +143,8 @@ class CRU_UI_API RenderObject : public Object {
   virtual std::string GetName() const;
   std::string GetDebugPathInTree() const;
 
+  CRU_DEFINE_EVENT(Destroy, RenderObject*)
+
  protected:
   // Size measure including margin and padding. Please reduce margin and padding
   // or other custom things and pass the result content measure requirement and
-- 
cgit v1.2.3