[evolution] Use-after-free of a full name editor when closing a contact editor

From: Milan Crha <mcrha src gnome org>
To: commits-list gnome org
Cc:
Subject: [evolution] Use-after-free of a full name editor when closing a contact editor
Date: Tue, 2 Sep 2014 08:20:35 +0000 (UTC)

commit 707ba2751903f08369d2c8fa7779140b49f6051b
Author: Milan Crha <mcrha redhat com>
Date:   Tue Sep 2 10:16:36 2014 +0200

    Use-after-free of a full name editor when closing a contact editor
    
    The EContactEditor added a signal handler to "editor_closed" to
    close also a full name editor, but it did not remove the signal
    handler on full name editor's destroy, thus the callback was called
    on an already freed widget, which could cause a crash.
    
    This had been reported at:
    https://bugzilla.redhat.com/show_bug.cgi?id=1128745

 addressbook/gui/contact-editor/e-contact-editor.c |   23 ++++++++++-----------
 1 files changed, 11 insertions(+), 12 deletions(-)
---
diff --git a/addressbook/gui/contact-editor/e-contact-editor.c 
b/addressbook/gui/contact-editor/e-contact-editor.c
index 323a82b..f8021d2 100644
--- a/addressbook/gui/contact-editor/e-contact-editor.c
+++ b/addressbook/gui/contact-editor/e-contact-editor.c
@@ -3197,6 +3197,14 @@ exit:
 }
 
 static void
+full_name_editor_closed_cb (GtkWidget *widget,
+                           gpointer data)
+{
+       if (GTK_IS_WIDGET (widget))
+               gtk_widget_destroy (widget);
+}
+
+static void
 full_name_response (GtkDialog *dialog,
                     gint response,
                     EContactEditor *editor)
@@ -3235,21 +3243,12 @@ full_name_response (GtkDialog *dialog,
                file_as_set_style (editor, style);
        }
 
+       g_signal_handlers_disconnect_by_func (editor, G_CALLBACK (full_name_editor_closed_cb), dialog);
+
        gtk_widget_destroy (GTK_WIDGET (dialog));
        editor->priv->fullname_dialog = NULL;
 }
 
-static gint
-full_name_editor_delete_event_cb (GtkWidget *widget,
-                                  GdkEvent *event,
-                                  gpointer data)
-{
-       if (GTK_IS_WIDGET (widget))
-               gtk_widget_destroy (widget);
-
-       return TRUE;
-}
-
 static void
 full_name_clicked (GtkWidget *button,
                    EContactEditor *editor)
@@ -3276,7 +3275,7 @@ full_name_clicked (GtkWidget *button,
        /* Close the fullname dialog if the editor is closed */
        g_signal_connect_swapped (
                editor, "editor_closed",
-               G_CALLBACK (full_name_editor_delete_event_cb), dialog);
+               G_CALLBACK (full_name_editor_closed_cb), dialog);
 
        gtk_widget_show (GTK_WIDGET (dialog));
        editor->priv->fullname_dialog = GTK_WIDGET (dialog);

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]