diff options
| author | Milan Crha <mcrha@redhat.com> | 2014-09-02 16:16:36 +0800 |
|---|---|---|
| committer | Milan Crha <mcrha@redhat.com> | 2014-09-02 16:16:36 +0800 |
| commit | 707ba2751903f08369d2c8fa7779140b49f6051b (patch) | |
| tree | eefe39b1091d76dea84d533afd6024b9ae7c04a5 | |
| parent | 198f5b7cd178deb43f99901184b44514386550e9 (diff) | |
| download | gsoc2013-evolution-707ba2751903f08369d2c8fa7779140b49f6051b.tar gsoc2013-evolution-707ba2751903f08369d2c8fa7779140b49f6051b.tar.gz gsoc2013-evolution-707ba2751903f08369d2c8fa7779140b49f6051b.tar.bz2 gsoc2013-evolution-707ba2751903f08369d2c8fa7779140b49f6051b.tar.lz gsoc2013-evolution-707ba2751903f08369d2c8fa7779140b49f6051b.tar.xz gsoc2013-evolution-707ba2751903f08369d2c8fa7779140b49f6051b.tar.zst gsoc2013-evolution-707ba2751903f08369d2c8fa7779140b49f6051b.zip | |
Use-after-free of a full name editor when closing a contact editor
The EContactEditor added a signal handler to "editor_closed" to
close also a full name editor, but it did not remove the signal
handler on full name editor's destroy, thus the callback was called
on an already freed widget, which could cause a crash.
This had been reported at:
https://bugzilla.redhat.com/show_bug.cgi?id=1128745
| -rw-r--r-- | addressbook/gui/contact-editor/e-contact-editor.c | 23 |
1 files changed, 11 insertions, 12 deletions
diff --git a/addressbook/gui/contact-editor/e-contact-editor.c b/addressbook/gui/contact-editor/e-contact-editor.c index 323a82b4df..f8021d2292 100644 --- a/addressbook/gui/contact-editor/e-contact-editor.c +++ b/addressbook/gui/contact-editor/e-contact-editor.c @@ -3197,6 +3197,14 @@ exit: } static void +full_name_editor_closed_cb (GtkWidget *widget, + gpointer data) +{ + if (GTK_IS_WIDGET (widget)) + gtk_widget_destroy (widget); +} + +static void full_name_response (GtkDialog *dialog, gint response, EContactEditor *editor) @@ -3235,21 +3243,12 @@ full_name_response (GtkDialog *dialog, file_as_set_style (editor, style); } + g_signal_handlers_disconnect_by_func (editor, G_CALLBACK (full_name_editor_closed_cb), dialog); + gtk_widget_destroy (GTK_WIDGET (dialog)); editor->priv->fullname_dialog = NULL; } -static gint -full_name_editor_delete_event_cb (GtkWidget *widget, - GdkEvent *event, - gpointer data) -{ - if (GTK_IS_WIDGET (widget)) - gtk_widget_destroy (widget); - - return TRUE; -} - static void full_name_clicked (GtkWidget *button, EContactEditor *editor) @@ -3276,7 +3275,7 @@ full_name_clicked (GtkWidget *button, /* Close the fullname dialog if the editor is closed */ g_signal_connect_swapped ( editor, "editor_closed", - G_CALLBACK (full_name_editor_delete_event_cb), dialog); + G_CALLBACK (full_name_editor_closed_cb), dialog); gtk_widget_show (GTK_WIDGET (dialog)); editor->priv->fullname_dialog = GTK_WIDGET (dialog); |