Bug 726492 – Possible crash when setting titlebar

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 726492 - Possible crash when setting titlebar


Summary:	Possible crash when setting titlebar


Status:	RESOLVED FIXED

Product:	gtk+
Classification:	Platform
Component:	Widget: Other
Version:	3.11.x
Hardware:	Other All

Importance:	Normal blocker
Target Milestone:	---
Assigned To:	gtk-bugs
QA Contact:	gtk-bugs

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2014-03-17 07:59 UTC by Bastien Nocera
Modified:	2014-03-17 14:34 UTC

See Also:
GNOME target:	3.12
GNOME version:	---

Attachments
test.c (403 bytes, text/plain) 2014-03-17 07:59 UTC, Bastien Nocera		Details
dialog: Avoid possible use-after-free (1.08 KB, patch) 2014-03-17 08:29 UTC, Bastien Nocera	committed	Details \| Review

Description Bastien Nocera 2014-03-17 07:59:03 UTC

Created attachment 272119 [details]
test.c

valgrind output of the test application

==13626== Invalid read of size 8
==13626==    at 0x6290000: g_type_check_instance_cast (gtype.c:3997)
==13626==    by 0x4F77326: update_title (gtkdialog.c:282)
==13626==    by 0x626D477: g_closure_invoke (gclosure.c:768)
==13626==    by 0x627F83C: signal_emit_unlocked_R (gsignal.c:3551)
==13626==    by 0x62877E2: g_signal_emit_valist (gsignal.c:3307)
==13626==    by 0x6287A21: g_signal_emit (gsignal.c:3363)
==13626==    by 0x6271824: g_object_dispatch_properties_changed (gobject.c:1053)
==13626==    by 0x6273FDA: g_object_notify (gobject.c:1147)
==13626==    by 0x515CDA6: gtk_window_set_titlebar (gtkwindow.c:3666)
==13626==    by 0x400A15: main (in /tmp/test)
==13626==  Address 0x130b0440 is 320 bytes inside a block of size 376 free'd
==13626==    at 0x4C28C47: free (vg_replace_malloc.c:469)
==13626==    by 0x64FD43E: g_free (gmem.c:190)
==13626==    by 0x65134A8: g_slice_free1 (gslice.c:1112)
==13626==    by 0x628EE13: g_type_free_instance (gtype.c:1932)
==13626==    by 0x4F09894: gtk_box_forall (gtkbox.c:2545)
==13626==    by 0x4F541F0: gtk_container_destroy (gtkcontainer.c:1410)
==13626==    by 0x626D477: g_closure_invoke (gclosure.c:768)
==13626==    by 0x627FBD3: signal_emit_unlocked_R (gsignal.c:3667)
==13626==    by 0x62877E2: g_signal_emit_valist (gsignal.c:3307)
==13626==    by 0x6287A21: g_signal_emit (gsignal.c:3363)
==13626==    by 0x514D747: gtk_widget_dispose (gtkwidget.c:11348)
==13626==    by 0x6271DB7: g_object_unref (gobject.c:3075)
==13626==    by 0x5151E91: gtk_widget_unparent (gtkwidget.c:4297)
==13626==    by 0x5155854: unset_titlebar (gtkwindow.c:3593)
==13626==    by 0x515CCC2: gtk_window_set_titlebar (gtkwindow.c:3707)
==13626==    by 0x400A15: main (in /tmp/test)

Comment 1 Bastien Nocera 2014-03-17 08:29:16 UTC

Created attachment 272120 [details] [review]
dialog: Avoid possible use-after-free

When the dialogue's titlebar was replaced, we were still trying to
update the label we constructed but that was now destroyed.

Comment 2 Matthias Clasen 2014-03-17 13:25:58 UTC

Review of attachment 272120 [details] [review]:

ok

Comment 3 Bastien Nocera 2014-03-17 14:34:06 UTC

Attachment 272120 [details] pushed as 20c764f - dialog: Avoid possible use-after-free