GNOME Bugzilla – Bug 651068
[PATCH] fix crash during incremental search
Last modified: 2011-05-31 21:20:15 UTC
I've been getting this for a while and after running valgrind on gedit it pointed to a double-free in init_search_entry(), at gedit-view-frame.c:1248 in gedit 3.0.2. Looks like there's one case where frame->priv->old_search_text might get re-assigned, but I can't find out where it gets NULLed out when it's not re-assigned. Thus it could get re-used later on.
Created attachment 188597 [details] [review] prevent use-after-free during incremental search
Bug 651036 might be a dupe.
Review of attachment 188597 [details] [review]: Thanks for pointing this out. See the comment and feel free to push it. ::: gedit-3.0.2/gedit/gedit-view-frame.c.foo @@ +1248,2 @@ g_free (frame->priv->old_search_text); + frame->priv->old_search_text = NULL; yeah, my fault, see that we assign the new value in an if. So let's move the free to the point where we are assigning it. else if (old_find_text != NULL) { g_free (frame->priv->old_search_text); .... }
Created attachment 188598 [details] [review] prevent use-after-free during incremental search
Ok, I'll make that change and push, thanks.
f8508ca201e7d16fa5e18a6130f456fdd3fc0c99
*** Bug 651036 has been marked as a duplicate of this bug. ***
*** Bug 651578 has been marked as a duplicate of this bug. ***