From: Ben Pfaff <blp@cs.stanford.edu>
Date: Sun, 19 Aug 2012 20:18:56 +0000 (-0700)
Subject: psppire-cell-renderer-button: Avoid use-after-free with popup dialog.
X-Git-Url: https://pintos-os.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=46510f46c169c5d5d1f13bcb2e1ff2aa9fffe05f;p=pspp

psppire-cell-renderer-button: Avoid use-after-free with popup dialog.

When gtk_button_clicked() on a PsppireCellRendererButton causes a
modal dialog to pop up, psppire_cell_renderer_button_initial_click()
only returns from gtk_button_clicked() after the button has already
been destroyed, which causes the g_object_steal_data() call to
remove the IDLE_ID_STRING to access freed memory.  This commit fixes
the problem by calling g_object_steal_data() before
gtk_button_clicked().
---

diff --git a/src/ui/gui/psppire-cell-renderer-button.c b/src/ui/gui/psppire-cell-renderer-button.c
index ac90984a3d..978908e01f 100644
--- a/src/ui/gui/psppire-cell-renderer-button.c
+++ b/src/ui/gui/psppire-cell-renderer-button.c
@@ -318,8 +318,8 @@ psppire_cell_renderer_button_initial_click (gpointer data)
 {
   GtkButton *button = data;
 
-  gtk_button_clicked (button);
   g_object_steal_data (G_OBJECT (button), IDLE_ID_STRING);
+  gtk_button_clicked (button);
   return FALSE;
 }