After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 778258 - RequestAsyncData use after free
RequestAsyncData use after free
Status: RESOLVED FIXED
Product: yelp
Classification: Applications
Component: Crashers
unspecified
Other Linux
: Normal normal
: ---
Assigned To: Yelp maintainers
Yelp maintainers
Depends on:
Blocks:
 
 
Reported: 2017-02-06 23:57 UTC by Christian Hergert
Modified: 2017-02-08 19:02 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
document: add destroy notify to page callback (17.87 KB, patch)
2017-02-08 02:57 UTC, Christian Hergert 		committed Details | Review

Description Christian Hergert 2017-02-06 23:57:34 UTC 
libyelp/yelp-view.c is requesting data form the YelpDocument. The document_callback is being executed with an RequestAsyncData user_data after that structure has been freed.

This seems to be causing crashes when editing a file that is being viewed in Yelp.
Comment 1 Christian Hergert 2017-02-08 02:11:29 UTC 
I did some bisecting and this seems to have been broken ever since the WebKit2 port.
Comment 2 Christian Hergert 2017-02-08 02:57:51 UTC 
Created attachment 345163 [details] [review]
document: add destroy notify to page callback

This ensures that we only free the async data struct when the document is
guaranteed to be done calling our callback. Without this, we risk
potentially accessing the async request data after we have freed it
when a mallard document reloads.
Comment 3 Christian Hergert 2017-02-08 02:58:41 UTC 
The patch won't fully fix crashes, (as bug 778263 is also related), but it does solve the issue with async request data being freed prematurely.
Comment 4 David King 2017-02-08 08:25:43 UTC 
Review of attachment 345163 [details] [review]:

Looks good, thanks!
Comment 5 Christian Hergert 2017-02-08 19:02:32 UTC 
Attachment 345163 [details] pushed as 7d8ee5a - document: add destroy notify to page callback