projects / gtk4.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 341efe9)
Avoid a heap-use-after-free
authorMatthias Clasen <mclasen@redhat.com>
Fri, 22 Jan 2021 16:37:20 +0000 (11:37 -0500)
committerMatthias Clasen <mclasen@redhat.com>
Fri, 22 Jan 2021 16:39:04 +0000 (11:39 -0500)
_gtk_gesture_cancel_sequence frees the struct pointed to by data,
so don't write to it afterwards. Found by asan.

gtk/gtkgesture.c patch | blob | history

diff --git a/gtk/gtkgesture.c b/gtk/gtkgesture.c
index 802309c43d735e27645ea2d7bda6925add4b07f7..130c4265cf67db00eec18eeb000bb4acfd480548 100644 (file)
--- a/gtk/gtkgesture.c
+++ b/gtk/gtkgesture.c
@@ -991,6 +991,7 @@ gtk_gesture_set_sequence_state (GtkGesture            *gesture,
 {
   GtkGesturePrivate *priv;
   PointData *data;
+  GtkEventSequenceState current_state;
 
   g_return_val_if_fail (GTK_IS_GESTURE (gesture), FALSE);
   g_return_val_if_fail (state >= GTK_EVENT_SEQUENCE_NONE &&
@@ -1014,11 +1015,13 @@ gtk_gesture_set_sequence_state (GtkGesture            *gesture,
       data->state != GTK_EVENT_SEQUENCE_NONE)
     return FALSE;
 
+  current_state = data->state;
+  data->state = state;
+
   if (state == GTK_EVENT_SEQUENCE_DENIED &&
-      data->state == GTK_EVENT_SEQUENCE_CLAIMED)
+      current_state == GTK_EVENT_SEQUENCE_CLAIMED)
     _gtk_gesture_cancel_sequence (gesture, sequence);
 
-  data->state = state;
   gtk_widget_cancel_event_sequence (gtk_event_controller_get_widget (GTK_EVENT_CONTROLLER (gesture)),
                                     gesture, sequence, state);
   g_signal_emit (gesture, signals[SEQUENCE_STATE_CHANGED], 0,
Unnamed repository; edit this file 'description' to name the repository.