liststore: Fix gtk_list_store_iter_is_valid()

The iter may be invalid, so we may not read from it.

testsuite/gtk/treemodel tests this and valgrind is shouting about it,
but it never crashed until I just ran it...

This bug is from 2004 and the test is from 2007. I guess invalid memory
accesses don't get caught by CI much.

diff --git a/gtk/gtkliststore.c b/gtk/gtkliststore.c
index e4c50e6aae1f5055b4e2ee86f1eddba96cb85127..7fac96ad727b96e36bb20c4000cf2aee11aef260 100644 (file)
--- a/gtk/gtkliststore.c
+++ b/gtk/gtkliststore.c
@@ -1454,10 +1454,34 @@ gboolean
 gtk_list_store_iter_is_valid (GtkListStore *list_store,
                               GtkTreeIter  *iter)
 {
+  GtkListStorePrivate *priv;
+  GSequenceIter *seq_iter;
+
   g_return_val_if_fail (GTK_IS_LIST_STORE (list_store), FALSE);
   g_return_val_if_fail (iter != NULL, FALSE);
 
-  return iter_is_valid (iter, list_store);
+  /* can't use iter_is_valid() here, because iter might point
+   * to random memory.
+   *
+   * We MUST NOT dereference it.
+   */
+
+  priv = list_store->priv;
+
+  if (iter == NULL ||
+      iter->user_data == NULL ||
+      priv->stamp != iter->stamp)
+    return FALSE;
+
+  for (seq_iter = g_sequence_get_begin_iter (priv->seq);
+       !g_sequence_iter_is_end (seq_iter);
+       seq_iter = g_sequence_iter_next (seq_iter))
+    {
+      if (seq_iter == iter->user_data)
+        return TRUE;
+    }
+
+  return FALSE;
 }
 
 static gboolean real_gtk_list_store_row_draggable (GtkTreeDragSource *drag_source,