nitpicker: fix destroy with invalid handle

This patch reworks the 'Session_component::destroy' to cope become
robust against a client-provided invalid view handle. The code did not
consider that 'Handle_registry::has_handle' may throw.

Thanks to Alexander Boettcher for reporting and the initial fix.

Fixes #3232

repos/os/src/server/nitpicker/session_component.cc

@@ -345,16 +345,22 @@ void Session_component::destroy_view(View_handle handle)
 	 */
 	for (Session_view_list_elem *v = _view_list.first(); v; v = v->next()) {
 
-		try {
-			View_component &view = *static_cast<View_component *>(v);
-			if (_view_handle_registry.has_handle(view, handle)) {
-				_destroy_view(view);
-				break;
-			}
-		} catch (View_handle_registry::Lookup_failed) { }
-	}
+		auto handle_matches = [&] (View_component const &view)
+		{
+			try { return _view_handle_registry.has_handle(view, handle); }
 
-	_view_handle_registry.free(handle);
+			/* 'Handle_registry::has_handle' may throw */
+			catch (...) { return false; };
+		};
+
+		View_component &view = *static_cast<View_component *>(v);
+
+		if (handle_matches(view)) {
+			_destroy_view(view);
+			_view_handle_registry.free(handle);
+			break;
+		}
+	}
 }
 
 

repos/os/src/test/nitpicker/test.cc

@@ -161,6 +161,14 @@ void Component::construct(Genode::Env &env)
 		return;
 	}
 
+	/* bad-case test */
+	{
+		/* issue #3232 */
+		Nitpicker::Session::View_handle handle { nitpicker.create_view() };
+		nitpicker.destroy_view(handle);
+		nitpicker.destroy_view(handle);
+	}
+
 	Genode::Attached_dataspace fb_ds(
 		env.rm(), nitpicker.framebuffer()->dataspace());
 
@@ -169,7 +177,7 @@ void Component::construct(Genode::Env &env)
 	unsigned char *input_mask = CONFIG_ALPHA ? alpha + scr_w*scr_h : 0;
 
 	/*
-	 * Paint some crap into pixel buffer, fill alpha channel and input-mask buffer
+	 * Paint into pixel buffer, fill alpha channel and input-mask buffer
 	 *
 	 * Input should refer to the view if the alpha value is more than 50%.
 	 */