diff options
| author | Cigydd <[email protected]> | 2026-06-15 22:42:23 +0200 |
|---|---|---|
| committer | Luke from DC <[email protected]> | 2026-06-18 23:32:03 +0000 |
| commit | db484d13c3bf7d527c0baa3b4ca7def54ec65d27 (patch) | |
| tree | ceef594b268f80d274afa1946f828ce4dbd489f9 | |
| parent | 688ba3d6a6db6def69a965b5dba0d211d5407969 (diff) | |
| download | mate-applets-master.tar.bz2 mate-applets-master.tar.xz | |
DriveButton connects a "changed" handler to the global default
GtkIconTheme but drive_button_dispose() never disconnected it. The icon
theme outlives the button, so after a button is destroyed (a volume or
mount is removed) a later "changed" emission runs the handler on freed
memory and schedules drive_button_update() via an idle source, crashing
the panel with a use-after-free.
Disconnect the handler in drive_button_dispose().
Assisted-by: Claude:claude-opus-4.8
| -rw-r--r-- | drivemount/src/drive-button.c | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/drivemount/src/drive-button.c b/drivemount/src/drive-button.c index d33600f0..80f4b7ce 100644 --- a/drivemount/src/drive-button.c +++ b/drivemount/src/drive-button.c @@ -144,6 +144,15 @@ drive_button_dispose (GObject *object) { DriveButton *self = DRIVE_BUTTON (object); + /* The "changed" handler was connected to the process-global default icon + * theme (see drive_button_new / drive_button_new_from_mount), which + * outlives this button. If we don't disconnect it, the theme keeps a + * dangling pointer to the freed button and a later "changed" emission + * schedules drive_button_update() on freed memory -> use-after-free crash. */ + g_signal_handlers_disconnect_by_func (gtk_icon_theme_get_default (), + G_CALLBACK (drive_button_theme_change), + self); + drive_button_set_volume (self, NULL); if (self->update_tag) |