Use after free in egg_tree_multi_drag_button_release_event causes segfault
egg_tree_multi_drag_button_release_event
iterates through a list of GtkEvent
s stored in some interface private data and passes them to gtk_propagate_event
. In certain circumstances this function can be re-entered during the propagation; stop_drag_check
is called in the reentrant frame, freeing the list and invalidating the pointers in the ancestor frame.
It seems to be fairly reproducible when opening/closing directories containing a large number of files. The following setup triggers a crash something like half of the time on my machine:
- Create an archive containing a directory with a large number of files:
$ mkdir archive-dir $ for i in {0..10000}; do touch archive-dir/$i; done $ tar -cf test-archive.tar archive-dir```
- Open test-archive.tar in file-roller
- Open the 'archive-dir' directory
- If no crash results, press the 'back' button and try again.
Speed seems to be critical here, so if it doesn't work maybe clicking faster will help? ;)