GNOME Bugzilla – Bug 768078
window_remove_filters() removes references it does not own, leading to UaF
Last modified: 2018-04-15 00:30:34 UTC
For https://bugzilla.gnome.org/show_bug.cgi?id=635380 removal of filter list links was tied to the lifetime of the filter, but the patch missed the removal of the entire list of filters on window destruction in window_remove_filters(), which was reported as https://bugzilla.gnome.org/show_bug.cgi?id=637464. However, the replacement for window_remove_filters() added in bug 637464 keeps calling _gdk_event_filter_unref() as long as window->filters remains, removing references that the window does not own, including those owned by gdk_event_apply_filters(). https://git.gnome.org/browse/gtk+/tree/gdk/gdkwindow.c?h=3.20.6#n1882 Originally reported in https://bugzilla.mozilla.org/show_bug.cgi?id=1282281
We're moving to gitlab! As part of this move, we are moving bugs to NEEDINFO if they haven't seen activity in more than a year. If this issue is still important to you and still relevant with GTK+ 3.22 or master, please reopen it and we will migrate it to gitlab.
As announced a while ago, we are migrating to gitlab, and bugs that haven't seen activity in the last year or so will be not be migrated, but closed out in bugzilla. If this bug is still relevant to you, you can open a new issue describing the symptoms and how to reproduce it with gtk 3.22.x or master in gitlab: https://gitlab.gnome.org/GNOME/gtk/issues/new