* Fix other use-after-free bugs related to r_list_unlink

- Use r_list_delete instead of r_list_unlink in various places
    - Some operations are now a bit faster

libr/anal/fcn.c

@@ -147,14 +147,20 @@ R_API int r_anal_fcn_add(RAnal *anal, ut64 addr, ut64 size, const char *name, in
 
 R_API int r_anal_fcn_del(RAnal *anal, ut64 addr) {
 	RAnalFcn *fcni;
-	RListIter *iter;
+	RListIter it, *iter;
 	if (addr == 0) {
 		r_list_free (anal->fcns);
 		if (!(anal->fcns = r_anal_fcn_list_new ()))
 			return R_FALSE;
-	} else r_list_foreach (anal->fcns, iter, fcni)
-		if (addr >= fcni->addr && addr < fcni->addr+fcni->size)
-			r_list_unlink (anal->fcns, fcni);
+	} else {
+		r_list_foreach (anal->fcns, iter, fcni) {
+			if (addr >= fcni->addr && addr < fcni->addr+fcni->size) {
+				it.n = iter->n;
+				r_list_delete (anal->fcns, iter);
+				iter = &it;
+			}
+		}
+	}
 	return R_TRUE;
 }
 

libr/anal/ref.c

@@ -49,14 +49,20 @@ R_API int r_anal_ref_add(RAnal *anal, ut64 addr, ut64 at, int type) {
 
 R_API int r_anal_ref_del(RAnal *anal, ut64 at) {
 	RAnalRef *refi;
-	RListIter *iter;
+	RListIter it, *iter;
 	if (at == 0) {
 		r_list_free (anal->refs);
 		if (!(anal->refs = r_anal_ref_list_new ()))
 			return R_FALSE;
-	} else r_list_foreach (anal->refs, iter, refi)
-		if (at == refi->at)
-			r_list_unlink (anal->refs, refi);
+	} else {
+		r_list_foreach (anal->refs, iter, refi) {
+			if (at == refi->at) {
+				it.n = iter->n;
+				r_list_delete (anal->refs, iter); //unlink (anal->refs, refi);
+				iter = ⁢
+			}
+		}
+	}
 	return R_TRUE;
 }
 

libr/core/anal.c

@@ -242,15 +242,21 @@ R_API int r_core_anal_fcn(RCore *core, ut64 at, ut64 from, int reftype, int dept
 
 R_API int r_core_anal_fcn_clean(RCore *core, ut64 addr) {
 	RAnalFcn *fcni;
-	RListIter *iter;
+	RListIter *iter, it;
 
 	if (addr == 0) {
 		r_list_destroy (core->anal->fcns);
 		if (!(core->anal->fcns = r_anal_fcn_list_new ()))
 			return R_FALSE;
-	} else r_list_foreach (core->anal->fcns, iter, fcni)
-			if (addr >= fcni->addr && addr < fcni->addr+fcni->size)
-				r_list_unlink (core->anal->fcns, fcni);
+	} else {
+		r_list_foreach (core->anal->fcns, iter, fcni) {
+			if (addr >= fcni->addr && addr < fcni->addr+fcni->size) {
+				it.n = iter->n;
+				r_list_delete (core->anal->fcns, iter);
+				iter = &it;
+			}
+		}
+	}
 	return R_TRUE;
 }
 

libr/debug/map.c

@@ -1,4 +1,4 @@
-/* radare - LGPL - Copyright 2009-2010 pancake<nopcode.org> */
+/* radare - LGPL - Copyright 2009-2011 pancake<nopcode.org> */
 
 #include <r_debug.h>
 #include <r_list.h>

libr/flags/flags.c

@@ -141,7 +141,7 @@ R_API int r_flag_unset_i(RFlag *f, ut64 addr) {
 
 	r_list_foreach (f->flags, iter, item) {
 		if (item->offset == addr) {
-			r_list_unlink (f->flags, item);
+			r_list_delete (f->flags, iter);
 			return R_TRUE;
 		}
 	}
@@ -159,11 +159,11 @@ R_API int r_flag_unset(RFlag *f, const char *name) {
 	RListIter *iter;
 
 	if (name[0] == '*') {
-		r_list_foreach (f->flags, iter, item) {
-			r_list_unlink (f->flags, item);
-		}
+		r_list_destroy (f->flags);
 	} else {
 		item = r_flag_get (f, name);
+		// XXX: This is slow.. because get+unlink is traversing the linked list twice
+		// XXX: we must use a hashtable here
 		/* MARK: entrypoint to remove flags */
 		if (item) {
 #if USE_BTREE

libr/util/list.c

@@ -60,6 +60,7 @@ R_API void r_list_join (RList *list1, RList *list2) {
 	}
 }
 
+// XXX r_list_delete_data == r_list_unlink !!!! this is conceptually wrong
 R_API boolt r_list_delete_data (RList *list, void *ptr) {
 	void *p;
 	RListIter *iter;