Steps to reproduce:
In a GTK+ application that enables extension input events, GDK_2BUTTON_PRESS events from input extension devices are received with an invalid "axes" field (non-null, points into g_free'd memory). If an application modifies the axes field of the event structure as part of its input event processing, this leads to memory corruption and eventual crash.
 
Such a situation occurs e.g. with GTK+ 2.11.6 and Xournal 0.4 (not sure why earlier versions of GTK+ don't exhibit the same problem). See http://sourceforge.net/tracker/index.php?func=detail&aid=1780877&group_id=163434&atid=827733
for details.

The relevant point is that, when a GDK_2BUTTON_PRESS event is generated for an XInput device, its axes member points to an invalid memory location because gdk_synthesize_click() enqueues a GDK_2BUTTON_PRESS "clone" of the GDK_BUTTON_PRESS event (by calling gdk_display_put_event(), which in turns calls gdk_event_copy()); but gdk_event_copy() duplicates the "axes" field only for GDK_BUTTON_PRESS, not for GDK_2BUTTON_PRESS. The enqueued GDK_2BUTTON_PRESS event therefore references a memory location that will be freed once processing of the original GDK_BUTTON_PRESS event is complete.


Stack trace:
Stack trace is more confusing than helpful due to complicated interplay between GDK, guest application's event processing loop, and GLib memory allocation.
See above for specific discussion of the bug.

Other information:
This is related to bug #65877 (GTK+ 1.x).