From 752dc9e4b159519726ac088a1f8bb7ddf40afaa2 Mon Sep 17 00:00:00 2001 From: Bastien Nocera Date: Thu, 11 Nov 2010 14:01:09 +0000 Subject: [PATCH] - Fix a possible double-free crasher --- ...ble-free-when-destroying-private-win.patch | 38 +++++++++++++++ cairo-drawing.patch | 46 ------------------- display-cleanup.patch | 20 -------- gnome-desktop3.spec | 9 +++- 4 files changed, 46 insertions(+), 67 deletions(-) create mode 100644 0001-Fix-possible-double-free-when-destroying-private-win.patch delete mode 100644 cairo-drawing.patch delete mode 100644 display-cleanup.patch diff --git a/0001-Fix-possible-double-free-when-destroying-private-win.patch b/0001-Fix-possible-double-free-when-destroying-private-win.patch new file mode 100644 index 0000000..405bc96 --- /dev/null +++ b/0001-Fix-possible-double-free-when-destroying-private-win.patch @@ -0,0 +1,38 @@ +From 7e967de7dff160d7302b1ab66db3f9054b8373b3 Mon Sep 17 00:00:00 2001 +From: Bastien Nocera +Date: Thu, 11 Nov 2010 13:21:21 +0000 +Subject: [PATCH] Fix possible double-free when destroying private windows + +This could cause free'ing random data when the members of ->windows +were destroyed, but ->windows itself wasn't. As it was != NULL, we'd +be free memory that wouldn't belong to us anymore. + +https://bugzilla.gnome.org/show_bug.cgi?id=634534 +--- + libgnome-desktop/gnome-rr-labeler.c | 5 +++++ + 1 files changed, 5 insertions(+), 0 deletions(-) + +diff --git a/libgnome-desktop/gnome-rr-labeler.c b/libgnome-desktop/gnome-rr-labeler.c +index 1de4569..ebf9905 100644 +--- a/libgnome-desktop/gnome-rr-labeler.c ++++ b/libgnome-desktop/gnome-rr-labeler.c +@@ -411,11 +411,16 @@ gnome_rr_labeler_hide (GnomeRRLabeler *labeler) + + g_return_if_fail (GNOME_IS_RR_LABELER (labeler)); + ++ if (labeler->windows == NULL) ++ return; ++ + for (i = 0; i < labeler->num_outputs; i++) + if (labeler->windows[i] != NULL) { + gtk_widget_destroy (labeler->windows[i]); + labeler->windows[i] = NULL; + } ++ g_free (labeler->windows); ++ labeler->windows = NULL; + } + + void +-- +1.7.3.2 + diff --git a/cairo-drawing.patch b/cairo-drawing.patch deleted file mode 100644 index 891532a..0000000 --- a/cairo-drawing.patch +++ /dev/null @@ -1,46 +0,0 @@ ---- gnome-desktop-2.90.4/libgnome-desktop/gnome-bg.c 2010-06-21 21:49:06.000000000 -0400 -+++ hacked/libgnome-desktop/gnome-bg.c 2010-09-22 00:18:03.030998000 -0400 -@@ -209,8 +209,6 @@ - - if (!gdk_color_parse (string, colorp)) - return; -- -- gdk_rgb_find_color (gdk_rgb_get_colormap(), colorp); - } - - static char * -@@ -995,23 +993,24 @@ - } - - if (!bg->filename && bg->color_type == GNOME_BG_COLOR_SOLID) { -- GdkGC *gc = gdk_gc_new (pixmap); -- gdk_gc_set_rgb_fg_color (gc, &(bg->primary)); -- -- gdk_draw_point (pixmap, gc, 0, 0); -- -- g_object_unref (gc); -+ cairo_t *cr; -+ cr = gdk_cairo_create (pixmap); -+ gdk_cairo_set_source_color (cr, &(bg->primary)); -+ cairo_rectangle (cr, 0, 0, 1, 1); -+ cairo_fill (cr); -+ cairo_destroy (cr); - } - else { - GdkPixbuf *pixbuf; -+ cairo_t *cr; - - pixbuf = gdk_pixbuf_new (GDK_COLORSPACE_RGB, FALSE, 8, - width, height); - gnome_bg_draw (bg, pixbuf, gdk_drawable_get_screen (GDK_DRAWABLE (window)), is_root); -- gdk_draw_pixbuf (pixmap, NULL, pixbuf, -- 0, 0, -- 0, 0, width, height, -- GDK_RGB_DITHER_MAX, 0, 0); -+ cr = gdk_cairo_create (pixmap); -+ gdk_cairo_set_source_pixbuf (cr, pixbuf, 0, 0); -+ cairo_paint (cr); -+ cairo_destroy (cr); - g_object_unref (pixbuf); - } - diff --git a/display-cleanup.patch b/display-cleanup.patch deleted file mode 100644 index 7c7ecc2..0000000 --- a/display-cleanup.patch +++ /dev/null @@ -1,20 +0,0 @@ ---- gnome-desktop-2.90.4/libgnome-desktop/gnome-desktop-item.c 2010-03-27 07:34:40.000000000 -0400 -+++ hacked/libgnome-desktop/gnome-desktop-item.c 2010-09-22 00:08:51.173997995 -0400 -@@ -1786,7 +1786,7 @@ - arg_ptr = make_args (file_list); - - #ifdef HAVE_STARTUP_NOTIFICATION -- sn_display = sn_display_new (gdk_display, -+ sn_display = sn_display_new (GDK_DISPLAY_XDISPLAY (gdk_display_get_default ()), - sn_error_trap_push, - sn_error_trap_pop); - -@@ -1805,7 +1805,7 @@ - - sn_context = sn_launcher_context_new (sn_display, - screen ? gdk_screen_get_number (screen) : -- DefaultScreen (gdk_display)); -+ DefaultScreen (GDK_DISPLAY_XDISPLAY (gdk_display_get_default ()))); - - name = gnome_desktop_item_get_localestring (item, - GNOME_DESKTOP_ITEM_NAME); diff --git a/gnome-desktop3.spec b/gnome-desktop3.spec index ad18c9b..a0646c9 100644 --- a/gnome-desktop3.spec +++ b/gnome-desktop3.spec @@ -9,7 +9,7 @@ Summary: Shared code among gnome-panel, gnome-session, nautilus, etc Name: gnome-desktop3 Version: 2.91.1 -Release: 1%{?dist} +Release: 2%{?dist} URL: http://www.gnome.org Source0: http://download.gnome.org/sources/gnome-desktop/2.91/gnome-desktop-%{version}.tar.bz2 License: GPLv2+ and LGPLv2+ @@ -36,6 +36,9 @@ BuildRequires: gettext BuildRequires: gtk-doc >= %{gtk_doc_version} BuildRequires: automake autoconf libtool intltool +# Upstream patch +Patch0: 0001-Fix-possible-double-free-when-destroying-private-win.patch + %description The gnome-desktop package contains an internal library @@ -63,6 +66,7 @@ libgnomedesktop. %prep %setup -q -n gnome-desktop-%{version} +%patch0 -p1 -b .double-free %build %configure --with-gnome-distributor="Red Hat, Inc" \ @@ -110,6 +114,9 @@ rm -f $RPM_BUILD_ROOT%{_mandir}/man1/gnome-about* %doc %{_datadir}/gtk-doc/html/gnome-desktop3/ %changelog +* Thu Nov 11 2010 Bastien Nocera 2.91.1-2 +- Fix a possible double-free crasher + * Wed Nov 10 2010 Bastien Nocera 2.91.1-1 - Update to 2.91.1