From: Mohammed Sadiq <sadiq@sadiqpk.org>
Date: Mon, 26 Jun 2023 02:35:52 +0000 (+0530)
Subject: gldriver: Fix a possible use-after-free
X-Git-Tag: archive/raspbian/4.12.3+ds-1+rpi1~1^2^2^2~22^2~1^2~91^2
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=64e27cd87dbedf944eba3aaec2326ae80c1ef027;p=gtk4.git

gldriver: Fix a possible use-after-free

g_hash_table_insert() frees the given key if it already exists
in the hashtable.  But since we use the same pointer in the
following line, it will result in use-after-free.

So instead, insert the key only if it doesn't exist.
---

diff --git a/gsk/gl/gskgldriver.c b/gsk/gl/gskgldriver.c
index cc27a89ef6..225cae6920 100644
--- a/gsk/gl/gskgldriver.c
+++ b/gsk/gl/gskgldriver.c
@@ -686,17 +686,21 @@ gsk_gl_driver_cache_texture (GskGLDriver         *self,
                              const GskTextureKey *key,
                              guint                texture_id)
 {
-  GskTextureKey *k;
-
   g_assert (GSK_IS_GL_DRIVER (self));
   g_assert (key != NULL);
   g_assert (texture_id > 0);
   g_assert (g_hash_table_contains (self->textures, GUINT_TO_POINTER (texture_id)));
 
-  k = g_memdup (key, sizeof *key);
+  if (!g_hash_table_contains (self->key_to_texture_id, key))
+    {
+      GskTextureKey *k;
+
+      k = g_memdup (key, sizeof *key);
 
-  g_hash_table_insert (self->key_to_texture_id, k, GUINT_TO_POINTER (texture_id));
-  g_hash_table_insert (self->texture_id_to_key, GUINT_TO_POINTER (texture_id), k);
+      g_assert (!g_hash_table_contains (self->texture_id_to_key, GUINT_TO_POINTER (texture_id)));
+      g_hash_table_insert (self->key_to_texture_id, k, GUINT_TO_POINTER (texture_id));
+      g_hash_table_insert (self->texture_id_to_key, GUINT_TO_POINTER (texture_id), k);
+    }
 }
 
 /**