GNOME Bugzilla – Bug 781716
Possible use-after-free and missing NULL-checks before g_object_unref()
Last modified: 2017-05-08 23:22:45 UTC
Created attachment 350395 [details] [review] proposed patch With at-spi2-atk-2.22.0-1, it can possibly cause use-after-free issues in the code. It seems that not all code expects atk_object_ref_accessible_child() returning NULL, neither that it can return an object with only one reference, thus the following unref in the code can cause use-after-free eventually. At least the chunk in impl_GetChildAtIndex() avoids runtime warning about invalid object being passed to g_object_unref(), which happened, in this case, when evolution returned NULL. Evolution returns objects with one reference only often, which tries to address the other chunks here.
Review of attachment 350395 [details] [review]: ::: at-spi2-atk-2.22.0/atk-adaptor/adaptors/collection-adaptor.c.invalid-write @@ +496,3 @@ + if (!child) + break; shouldn't this be continue; ?
I do not know. It seemed to me that the cycle doesn't make much sense after one child being missing, but I do not know the code, thus cannot tell for sure. If you think there should be rather 'continue', then I believe you.
Thanks for the patch. pushed to master: 8d3cc6 pushed to gnome-3-24: 66dd82 I changed the break to a continue, although in theory it shouldn't make any difference, since I'd consider it a bug if an atk implementation returns NULL for a child with an index that's less than the reported number of children.