toast-overlay: Prevent show_done from firing after hide_done (!762) · Merge requests · GNOME / libadwaita

Icecream95 requested to merge icecream95/libadwaita:toast-uaf into main Feb 18, 2023

Fixes a use-after-free when toasts are quickly created and dismissed in a loop:

Invalid read of size 8
   at 0x53F23AC: show_done_cb (adw-toast-overlay.c:167)
   by 0x51F9553: g_signal_emit_valist (in /usr/lib64/libgobject-2.0.so.0.7400.1)
   by 0x51F9632: g_signal_emit (in /usr/lib64/libgobject-2.0.so.0.7400.1)
   by 0x539BD25: adw_animation_skip (adw-animation.c:710)
   by 0x539AF21: tick_cb (adw-animation.c:191)
 Address 0x1c3398f8 is 24 bytes inside a block of size 56 free'd
   at 0x48460E4: free (vg_replace_malloc.c:884)
   by 0x52848CC: g_free (in /usr/lib64/libglib-2.0.so.0.7400.1)
   by 0x53F21BF: free_toast_info (adw-toast-overlay.c:119)
   by 0x53F238D: hide_done_cb (adw-toast-overlay.c:161)
   by 0x51F9553: g_signal_emit_valist (in /usr/lib64/libgobject-2.0.so.0.7400.1)
   by 0x51F9632: g_signal_emit (in /usr/lib64/libgobject-2.0.so.0.7400.1)
   by 0x539BD25: adw_animation_skip (adw-animation.c:710)
   by 0x539AF21: tick_cb (adw-animation.c:191)
 Block was alloc'd at
   at 0x4848464: calloc (vg_replace_malloc.c:1340)
   by 0x52885F0: g_malloc0 (in /usr/lib64/libglib-2.0.so.0.7400.1)
   by 0x53F370B: adw_toast_overlay_add_toast (adw-toast-overlay.c:665)

This is my first time doing anything GNOME-related, hopefully I've fixed this bug in the correct manner. Is a test for the fix important? How does backporting to stable releases work?

Are there any other places that I might need the g_signal_handler_disconnect?

toast-overlay: Prevent show_done from firing after hide_done

Merge request reports