From 72e54b9a44cc255f38159fb175f896297c571134 Mon Sep 17 00:00:00 2001 From: Victor Kareh Date: Thu, 9 Oct 2025 08:22:57 -0400 Subject: daemon: Fix use-after-free crash in idle reposition timeout Add destroy notify callback to prevent use-after-free crashes when notifications are closed before their reposition timeout fires. Fixes #236 --- src/daemon/daemon.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) (limited to 'src/daemon/daemon.c') diff --git a/src/daemon/daemon.c b/src/daemon/daemon.c index ef8682c..062e9a5 100644 --- a/src/daemon/daemon.c +++ b/src/daemon/daemon.c @@ -750,6 +750,13 @@ typedef struct { gint id; } IdleRepositionData; +static void idle_reposition_data_destroy(gpointer user_data) +{ + IdleRepositionData* data = (IdleRepositionData*) user_data; + g_object_unref(data->daemon); + g_free(data); +} + static gboolean idle_reposition_notification(IdleRepositionData* data) { NotifyDaemon* daemon; @@ -768,8 +775,6 @@ static gboolean idle_reposition_notification(IdleRepositionData* data) } g_hash_table_remove(daemon->idle_reposition_notify_ids, GINT_TO_POINTER(notify_id)); - g_object_unref(daemon); - g_free(data); return FALSE; } @@ -792,7 +797,7 @@ static void _queue_idle_reposition_notification(NotifyDaemon* daemon, gint notif data->id = notify_id; /* We do this as a short timeout to avoid repositioning spam */ - idle_id = g_timeout_add_full(G_PRIORITY_LOW, 50, (GSourceFunc) idle_reposition_notification, data, NULL); + idle_id = g_timeout_add_full(G_PRIORITY_LOW, 50, (GSourceFunc) idle_reposition_notification, data, idle_reposition_data_destroy); g_hash_table_insert(daemon->idle_reposition_notify_ids, GINT_TO_POINTER(notify_id), GUINT_TO_POINTER(idle_id)); } -- cgit v1.2.1