GNOME Bugzilla – Bug 746269
Segfault in gtk_tree_view_move_cursor_page_up_down
Last modified: 2015-03-16 16:42:43 UTC
Segfault occurs in gtk_tree_view_move_cursor_page_up_down, specifically, line 9840 (see below code snippet from gtk+-2.24.27/gtk/gtktreeview.c) 9836 tree_view->priv->cursor_offset = 9837 _gtk_rbtree_find_offset (tree_view->priv->tree, y, 9838 &cursor_tree, &cursor_node); 9839 9840 if (tree_view->priv->cursor_offset > BACKGROUND_HEIGHT (cursor_node)) cursor_node might be NULL upon the return of _gtk_rbtree_find_offset. _gtk_rbtree_find_offset yields NULL cursor_node when y is larger than tree_view->priv->tree->root->offset (or y is less than 0, which is not the case in this segfault). Imaging a gtktreeview is busying populating hundreds of rows, the heights of the rows are set to ZERO initially. In normal case the row heights would be set to a reasonable value in validate_row (in gtktreeview.c) later (in idle loop?). But what would happen if user press Page Up/Down in the very moment before validate_row is called?
Created attachment 299486 [details] [review] A quick simple patch A quick patch that just simply verify if cursor_tree or cursor_node is NULL, return if any of them are NULL. In that case, it looks like the key stroke Page Up/Down is simply ignored.