Patch-Source: https://gitlab.gnome.org/GNOME/gtk/-/commit/1d95b8ab2646b3e36a1c1b23b771c4f145be13fc https://gitlab.gnome.org/GNOME/gtk/-/merge_requests/6049 -- From 1d95b8ab2646b3e36a1c1b23b771c4f145be13fc Mon Sep 17 00:00:00 2001 From: Martin Wilck Date: Fri, 2 Jun 2023 15:16:58 +0200 Subject: [PATCH] gtkmountoperation: avoid SEGV after bad password input I observed the following nautilus crash below after trying to access an SMB share and mistyping my password (it also happens if mounting the SMB share fails for other reasons after entering a password). The crash happens when the password entry window pops up the second time, in this code path, at the 7th element of priv->user_widgets: 458 pw_dialog_anonymous_toggled (GtkWidget *widget, 459 GtkMountOperation *operation) 460 { ... 472 for (l = priv->user_widgets; l != NULL; l = l->next) 473 { 474 gtk_widget_set_sensitive (GTK_WIDGET (l->data), !priv->anonymous); 475 } The broken element had l->data = 0xaaaaaaaaaaaa, which means the pointer had been freed. The broken list entries were at the of the list because when gtk_mount_operation_ask_password_do_gtk() constucts the pop-up the 2nd time, it prepends new widgets: gtk_mount_operation_ask_password_do_gtk() table_add_entry operation->priv->user_widgets = g_list_prepend (operation->priv->user_widgets, entry); The problem is that in pw_dialog_got_response(), the widget is destroyed, which also destroys all child widgets, but the priv->user_widgets list is neither freed nor set to NULL. Fix it. --- gtk/gtkmountoperation.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/gtk/gtkmountoperation.c b/gtk/gtkmountoperation.c index 2cf7e75d584..e6b50c9b6ef 100644 --- a/gtk/gtkmountoperation.c +++ b/gtk/gtkmountoperation.c @@ -380,6 +380,11 @@ pw_dialog_got_response (GtkDialog *dialog, else g_mount_operation_reply (op, G_MOUNT_OPERATION_ABORTED); + if (priv->user_widgets) + { + g_list_free (priv->user_widgets); + priv->user_widgets = NULL; + } priv->dialog = NULL; g_object_notify (G_OBJECT (op), "is-showing"); gtk_widget_destroy (GTK_WIDGET (dialog)); -- GitLab