From 0b5fd0d84e928942db90255dd40ba48acbe9a41c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Juhani=20Krekel=C3=A4?= <juhani@krekelä.fi>
Date: Wed, 29 Mar 2023 13:24:28 +0300
Subject: [PATCH] Deallocate program memory only at end of event dispatch

Previously programs deallocated their memory before forwarding a
message. If the forwarded message made another program allocate, this
could cause the program code to be overwritten while it is still
running.
---
 hello.asm  | 15 +++++++++++----
 memory.asm | 15 +++++++++++----
 2 files changed, 22 insertions(+), 8 deletions(-)

diff --git a/hello.asm b/hello.asm
index 4791198..b7965b0 100644
--- a/hello.asm
+++ b/hello.asm
@@ -91,6 +91,14 @@ process_event:
 	.not_open_file:
 
 	.end:
+	cmp byte [exiting], 0
+	je .not_exiting
+	; Once we have deallocated our own memory, we may not call any
+	; external functions that might allocate. Safest place to do the
+	; deallocation is just before returning control to our caller
+	call deallocate_own_memory
+	.not_exiting:
+
 	pop es
 	pop ds
 	pop bp
@@ -289,10 +297,7 @@ event_click:
 		jne .not_close
 		.close:
 			call unhook_self_from_window_chain
-			; Nothing can call into us again after we unhook
-			; the window, so deallocate the memory we have
-			; reserved
-			call deallocate_own_memory
+			mov byte [exiting], 1
 			; We don't need to call request_redraw here, since
 			; it will be called unconditionally above
 			jmp .title_bar_end
@@ -672,6 +677,8 @@ request_redraw:
 ; Variables
 ; ------------------------------------------------------------------
 
+exiting db 0
+
 window_title db 'Hello'
 	.end:
 WINDOW_TITLE_LEN equ window_title.end - window_title
diff --git a/memory.asm b/memory.asm
index 1e17979..3d03605 100644
--- a/memory.asm
+++ b/memory.asm
@@ -79,6 +79,14 @@ process_event:
 	.not_open_file:
 
 	.end:
+	cmp byte [exiting], 0
+	je .not_exiting
+	; Once we have deallocated our own memory, we may not call any
+	; external functions that might allocate. Safest place to do the
+	; deallocation is just before returning control to our caller
+	call deallocate_own_memory
+	.not_exiting:
+
 	pop es
 	pop ds
 	pop bp
@@ -273,10 +281,7 @@ event_click:
 		jne .not_close
 		.close:
 			call unhook_self_from_window_chain
-			; Nothing can call into us again after we unhook
-			; the window, so deallocate the memory we have
-			; reserved
-			call deallocate_own_memory
+			mov byte [exiting], 1
 			; We don't need to call request_redraw here, since
 			; it will be called unconditionally above
 			jmp .title_bar_end
@@ -554,6 +559,8 @@ request_redraw:
 ; Variables
 ; ------------------------------------------------------------------
 
+exiting db 0
+
 window_next dw 0xffff
 window_x dw 65
 window_y dw 3