Avoid a heap-use-after-free

_gtk_gesture_cancel_sequence frees the struct pointed to by data, so don't write to it afterwards. Found by asan.

Avoid a heap-use-after-free
_gtk_gesture_cancel_sequence frees the struct pointed to by data, so don't write to it afterwards. Found by asan.
39d5dd89 · Matthias Clasen · 341efe9a · 39d5dd89
Commit 39d5dd89 authored Jan 22, 2021 by Matthias Clasen
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 2 deletions

gtk/gtkgesture.c gtk/gtkgesture.c +5 -2

No files found.
--- a/gtk/gtkgesture.c
+++ b/gtk/gtkgesture.c
@@ -991,6 +991,7 @@ gtk_gesture_set_sequence_state (GtkGesture            *gesture,
 {
  GtkGesturePrivate *priv;
  PointData *data;
+  GtkEventSequenceState current_state;

  g_return_val_if_fail (GTK_IS_GESTURE (gesture), FALSE);
  g_return_val_if_fail (state >= GTK_EVENT_SEQUENCE_NONE &&
@@ -1014,11 +1015,13 @@ gtk_gesture_set_sequence_state (GtkGesture            *gesture,
      data->state != GTK_EVENT_SEQUENCE_NONE)
    return FALSE;

+  current_state = data->state;
+  data->state = state;
+
  if (state == GTK_EVENT_SEQUENCE_DENIED &&
-      data->state == GTK_EVENT_SEQUENCE_CLAIMED)
+      current_state == GTK_EVENT_SEQUENCE_CLAIMED)
    _gtk_gesture_cancel_sequence (gesture, sequence);

-  data->state = state;
  gtk_widget_cancel_event_sequence (gtk_event_controller_get_widget (GTK_EVENT_CONTROLLER (gesture)),
                                    gesture, sequence, state);
  g_signal_emit (gesture, signals[SEQUENCE_STATE_CHANGED], 0,