liststore: Fix gtk_list_store_iter_is_valid()

The iter may be invalid, so we may not read from it. testsuite/gtk/treemodel tests this and valgrind is shouting about it, but it never crashed until I just ran it... This bug is from 2004 and the test is from 2007. I guess invalid memory accesses don't get caught by CI much.
2020-03-06 05:03:45 +01:00
parent e38800ad3e
commit b56202937a
1 changed files with 25 additions and 1 deletions
--- a/gtk/gtkliststore.c
+++ b/gtk/gtkliststore.c
@@ -1454,10 +1454,34 @@ gboolean
 gtk_list_store_iter_is_valid (GtkListStore *list_store,
                              GtkTreeIter  *iter)
 {
+  GtkListStorePrivate *priv;
+  GSequenceIter *seq_iter;
+
  g_return_val_if_fail (GTK_IS_LIST_STORE (list_store), FALSE);
  g_return_val_if_fail (iter != NULL, FALSE);

-  return iter_is_valid (iter, list_store);
+  /* can't use iter_is_valid() here, because iter might point
+   * to random memory.
+   *
+   * We MUST NOT dereference it.
+   */
+
+  priv = list_store->priv;
+
+  if (iter == NULL ||
+      iter->user_data == NULL ||
+      priv->stamp != iter->stamp)
+    return FALSE;
+
+  for (seq_iter = g_sequence_get_begin_iter (priv->seq);
+       !g_sequence_iter_is_end (seq_iter);
+       seq_iter = g_sequence_iter_next (seq_iter))
+    {
+      if (seq_iter == iter->user_data)
+        return TRUE;
+    }
+
+  return FALSE;
 }

 static gboolean real_gtk_list_store_row_draggable (GtkTreeDragSource *drag_source,