From 707ba2751903f08369d2c8fa7779140b49f6051b Mon Sep 17 00:00:00 2001 From: Milan Crha Date: Tue, 2 Sep 2014 10:16:36 +0200 Subject: Use-after-free of a full name editor when closing a contact editor The EContactEditor added a signal handler to "editor_closed" to close also a full name editor, but it did not remove the signal handler on full name editor's destroy, thus the callback was called on an already freed widget, which could cause a crash. This had been reported at: https://bugzilla.redhat.com/show_bug.cgi?id=1128745 --- addressbook/gui/contact-editor/e-contact-editor.c | 23 +++++++++++------------ 1 file changed, 11 insertions(+), 12 deletions(-) diff --git a/addressbook/gui/contact-editor/e-contact-editor.c b/addressbook/gui/contact-editor/e-contact-editor.c index 323a82b4df..f8021d2292 100644 --- a/addressbook/gui/contact-editor/e-contact-editor.c +++ b/addressbook/gui/contact-editor/e-contact-editor.c @@ -3196,6 +3196,14 @@ exit: g_object_unref (source); } +static void +full_name_editor_closed_cb (GtkWidget *widget, + gpointer data) +{ + if (GTK_IS_WIDGET (widget)) + gtk_widget_destroy (widget); +} + static void full_name_response (GtkDialog *dialog, gint response, @@ -3235,21 +3243,12 @@ full_name_response (GtkDialog *dialog, file_as_set_style (editor, style); } + g_signal_handlers_disconnect_by_func (editor, G_CALLBACK (full_name_editor_closed_cb), dialog); + gtk_widget_destroy (GTK_WIDGET (dialog)); editor->priv->fullname_dialog = NULL; } -static gint -full_name_editor_delete_event_cb (GtkWidget *widget, - GdkEvent *event, - gpointer data) -{ - if (GTK_IS_WIDGET (widget)) - gtk_widget_destroy (widget); - - return TRUE; -} - static void full_name_clicked (GtkWidget *button, EContactEditor *editor) @@ -3276,7 +3275,7 @@ full_name_clicked (GtkWidget *button, /* Close the fullname dialog if the editor is closed */ g_signal_connect_swapped ( editor, "editor_closed", - G_CALLBACK (full_name_editor_delete_event_cb), dialog); + G_CALLBACK (full_name_editor_closed_cb), dialog); gtk_widget_show (GTK_WIDGET (dialog)); editor->priv->fullname_dialog = GTK_WIDGET (dialog); -- cgit v1.2.3