Use after free when deleting a completed task
Description
Created attachment 338980 gdb log from being attached to gnome-todo running in valgrind
Steps to reproduce:
- Add a new task in Today view
- Mark it as completed
- Un-hide (uncollapse) completed tasks
- Select any completed task
- Delete task
What happens:
Valgrind:
==1488== Invalid read of size 8
==1488== at 0x639C31E: gtk_widget_destroy (gtkwidget.c:4712)
==1488== by 0x12E628: gtd_task_row__destroy_cb (gtd-task-row.c:352)
==1488== by 0x9A6D88C: g_timeout_dispatch (gmain.c:4674)
==1488== by 0x9A6CE41: g_main_dispatch (gmain.c:3203)
==1488== by 0x9A6CE41: g_main_context_dispatch (gmain.c:3856)
==1488== by 0x9A6D1BF: g_main_context_iterate.isra.24 (gmain.c:3929)
==1488== by 0x9A6D26B: g_main_context_iteration (gmain.c:3990)
==1488== by 0x92A7BBC: g_application_run (gapplication.c:2381)
==1488== by 0x117CDD: main (main.c:41)
==1488== Address 0x29aa9e40 is 352 bytes inside a block of size 560 free'd
==1488== at 0x4C2ED4A: free (vg_replace_malloc.c:530)
==1488== by 0x9A726BD: g_free (gmem.c:189)
==1488== by 0x9A8B20F: g_slice_free1 (gslice.c:1136)
==1488== by 0x9803B01: g_type_free_instance (gtype.c:1937)
==1488== by 0x12CA96: gtd_task_list_view__remove_row_for_task (gtd-task-list-view.c:966)
==1488== by 0x12CAFD: remove_task_from_list (gtd-task-list-view.c:264)
==1488== by 0x12B883: iterate_subtasks.constprop.8 (gtd-task-list-view.c:189)
==1488== by 0x12CEB7: gtd_task_list_view__remove_task_cb (gtd-task-list-view.c:635)
==1488== by 0x97E346F: g_cclosure_marshal_VOID__OBJECTv (gmarshal.c:2102)
==1488== by 0x97E0613: _g_closure_invoke_va (gclosure.c:867)
==1488== by 0x97FADD8: g_signal_emit_valist (gsignal.c:3300)
==1488== by 0x97FB43E: g_signal_emit (gsignal.c:3447)
==1488== Block was alloc'd at
==1488== at 0x4C2DB9D: malloc (vg_replace_malloc.c:299)
==1488== by 0x9A725A8: g_malloc (gmem.c:94)
==1488== by 0x9A8AB02: g_slice_alloc (gslice.c:1025)
==1488== by 0x9A8B12D: g_slice_alloc0 (gslice.c:1051)
==1488== by 0x9803839: g_type_create_instance (gtype.c:1839)
==1488== by 0x97E569A: g_object_new_internal (gobject.c:1783)
==1488== by 0x97E75AD: g_object_new_valist (gobject.c:2042)
==1488== by 0x97E7850: g_object_new (gobject.c:1626)
==1488== by 0x12B638: insert_task (gtd-task-list-view.c:834)
==1488== by 0x12DE27: gtd_task_list_view_set_show_completed (gtd-task-list-view.c:1939)
==1488== by 0x12DEE5: gtd_task_list_view__done_button_clicked (gtd-task-list-view.c:773)
==1488== by 0x97E0613: _g_closure_invoke_va (gclosure.c:867)
==1488==
gdb:
#0 0x000000000639c31e in gtk_widget_destroy (widget=0x29aa9e40) at gtkwidget.c:4712
#1 0x000000000012e629 in gtd_task_row__destroy_cb (row=row@entry=0x29aa9e40) at gtd-task-row.c:352
#2 0x0000000009a6d88d in g_timeout_dispatch (source=0x2a13be30, callback=0x12e620 <gtd_task_row__destroy_cb>, user_data=0x29aa9e40) at gmain.c:4674
#3 0x0000000009a6ce42 in g_main_dispatch (context=0x1f37d5b0) at gmain.c:3203
#4 0x0000000009a6ce42 in g_main_context_dispatch (context=context@entry=0x1f37d5b0) at gmain.c:3856
#5 0x0000000009a6d1c0 in g_main_context_iterate (context=context@entry=0x1f37d5b0, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3929
#6 0x0000000009a6d26c in g_main_context_iteration (context=context@entry=0x1f37d5b0, may_block=may_block@entry=1) at gmain.c:3990
#7 0x00000000092a7bbd in g_application_run (application=0x1f379630 [GtdApplication], argc=1, argv=0xffefffdc8) at gapplication.c:2381
#8 0x0000000000117cde in main (argc=1, argv=0xffefffdc8) at main.c:41
Full gdb log is attached.
Affected versions: gnome-todo-3.22.0-1.fc25.x86_64 gtk3-3.22.2-1.fc25.x86_64 glib2-2.50.1-1.fc25.x86_64
QA Tasks
-
Reproduce the steps mentioned, and To Do does not crash -
No regressions were introduced
Edited by Mohammed Sadiq