GNOME.org
 

[libadwaita/wip/adw-carousel-crash] adw-carousel: Fix a possible use-after-free under animate_child_resize()


commit 816ae57d086f6177cc3fac39f855d62ac7c7caa6
Author: Milan Crha <mcrha redhat com>
Date:   Thu Aug 18 11:50:21 2022 +0200

    adw-carousel: Fix a possible use-after-free under animate_child_resize()
    
    The could happen a use-after-free crash when removing a carousel child,
    which is still animating.
    
    Closes https://gitlab.gnome.org/GNOME/libadwaita/-/issues/453

 src/adw-carousel.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)
---
diff --git a/src/adw-carousel.c b/src/adw-carousel.c
index 034b82b8..688a2dc1 100644
--- a/src/adw-carousel.c
+++ b/src/adw-carousel.c
@@ -328,8 +328,15 @@ animate_child_resize (AdwCarousel *self,
 
   update_shift_position_flag (self, child);
 
-  if (child->resize_animation)
+  if (child->resize_animation) {
+    gboolean been_removing = child->removing;
     adw_animation_skip (child->resize_animation);
+    /* It's because the skip finishes the animation, which triggers
+       the 'done' signal, which calls resize_animation_done_cb(),
+       which frees the 'child' immediately. */
+    if (been_removing)
+      return;
+  }
 
   target = adw_callback_animation_target_new ((AdwAnimationTargetFunc)
                                               resize_animation_value_cb,
[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]