ev-window: Fix use-after-free by disconnecting document modified signal on window close (!489) · Merge requests · GNOME / evince

Gary Li requested to merge li-gary/evince:annotation_new_window_crash into main Sep 22, 2022

Evince currently crashes if we try to annotate after opening and closing a new window of the same document.

This is because the modified signal of the closed window is still connected, and we are calling its callback with the already freed ev_window, resulting in a use-after-free.

Using valgrind, it was observed that:

==2== Invalid read of size 8
==2==    at 0x497B431: g_type_check_instance_cast (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.7303.0)
==2==    by 0x14A476: ev_window_get_toolbar (ev-window.c:8068)
==2==    by 0x14A476: ev_window_document_modified_cb (ev-window.c:5288)
==2==    by 0x4955501: g_closure_invoke (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.7303.0)
==2==    by 0x496A1C7: ??? (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.7303.0)
==2==    by 0x4971134: g_signal_emit_valist (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.7303.0)
==2==    by 0x4971302: g_signal_emit (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.7303.0)
==2==    by 0x49599D3: ??? (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.7303.0)
==2==    by 0x495C8A1: g_object_notify (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.7303.0)
==2==    by 0x108B7CC9: pdf_document_annotations_add_annotation (ev-poppler.c:3357)
==2==    by 0x4897496: ev_view_create_annotation_real (ev-view.c:3768)
==2==    by 0x489ADF0: ev_view_create_annotation_from_selection (ev-view.c:3871)
==2==    by 0x489ADF0: ev_view_add_text_markup_annotation_for_selected_text (ev-view.c:6357)
==2==    by 0x4955501: g_closure_invoke (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.7303.0)
==2==  Address 0xba5e4c0 is 1,296 bytes inside an unallocated block of size 1,504 in arena "client"
==2== 
==2== Invalid read of size 8
==2==    at 0x497B440: g_type_check_instance_cast (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.7303.0)
==2==    by 0x14A476: ev_window_get_toolbar (ev-window.c:8068)
==2==    by 0x14A476: ev_window_document_modified_cb (ev-window.c:5288)
==2==    by 0x4955501: g_closure_invoke (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.7303.0)
==2==    by 0x496A1C7: ??? (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.7303.0)
==2==    by 0x4971134: g_signal_emit_valist (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.7303.0)
==2==    by 0x4971302: g_signal_emit (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.7303.0)
==2==    by 0x49599D3: ??? (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.7303.0)
==2==    by 0x495C8A1: g_object_notify (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.7303.0)
==2==    by 0x108B7CC9: pdf_document_annotations_add_annotation (ev-poppler.c:3357)
==2==    by 0x4897496: ev_view_create_annotation_real (ev-view.c:3768)
==2==    by 0x489ADF0: ev_view_create_annotation_from_selection (ev-view.c:3871)
==2==    by 0x489ADF0: ev_view_add_text_markup_annotation_for_selected_text (ev-view.c:6357)
==2==    by 0x4955501: g_closure_invoke (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.7303.0)
==2==  Address 0xaaaaaaaaaaaaaaaa is not stack'd, malloc'd or (recently) free'd

To fix this, we disconnect the modified signal on window close.

Closes #1766 (closed)

ev-window: Fix use-after-free by disconnecting document modified signal on window close

Merge request reports