[gtk/wip/otte/for-master: 5/11] liststore: Fix gtk_list_store_iter_is_valid()

[Benjamin Otte <otte src gnome org>]

commit e37729756de14b4681a18f219fc8f383bfbd8a05
Author: Benjamin Otte <otte redhat com>
Date:   Fri Mar 6 05:03:45 2020 +0100

    liststore: Fix gtk_list_store_iter_is_valid()
    
    The iter may be invalid, so we may not read from it.
    
    testsuite/gtk/treemodel tests this and valgrind is shouting about it,
    but it never crashed until I just ran it...
    
    This bug is from 2004 and the test is from 2007. I guess invalid memory
    accesses don't get caught by CI much.

 gtk/gtkliststore.c | 26 +++++++++++++++++++++++++-
 1 file changed, 25 insertions(+), 1 deletion(-)
---
diff --git a/gtk/gtkliststore.c b/gtk/gtkliststore.c
index 8b582fd526..8c488fabed 100644
--- a/gtk/gtkliststore.c
+++ b/gtk/gtkliststore.c
@@ -1448,10 +1448,34 @@ gboolean
 gtk_list_store_iter_is_valid (GtkListStore *list_store,
                               GtkTreeIter  *iter)
 {
+  GtkListStorePrivate *priv;
+  GSequenceIter *seq_iter;
+
   g_return_val_if_fail (GTK_IS_LIST_STORE (list_store), FALSE);
   g_return_val_if_fail (iter != NULL, FALSE);
 
-  return iter_is_valid (iter, list_store);
+  /* can't use iter_is_valid() here, because iter might point
+   * to random memory.
+   *
+   * We MUST NOT dereference it.
+   */
+
+  priv = list_store->priv;
+
+  if (iter == NULL ||
+      iter->user_data == NULL ||
+      priv->stamp != iter->stamp)
+    return FALSE;
+
+  for (seq_iter = g_sequence_get_begin_iter (priv->seq);
+       !g_sequence_iter_is_end (seq_iter);
+       seq_iter = g_sequence_iter_next (seq_iter))
+    {
+      if (seq_iter == iter->user_data)
+        return TRUE;
+    }
+
+  return FALSE;
 }
 
 static gboolean real_gtk_list_store_row_draggable (GtkTreeDragSource *drag_source,