From 9a4bf658bb8d13a1f95de3eb29765de6e086c371 Mon Sep 17 00:00:00 2001 From: Matthias Clasen Date: Mon, 12 May 2025 15:37:50 -0400 Subject: [PATCH] Fix a possible segfault and critical warnings Resolves: RHEL-4130 Resolves: RHEL-22853 --- 0001-dnd-Prevent-a-possible-segfault.patch | 37 ++++++++++++++++++++++ gtk3.spec | 10 +++++- remove-size-allocation-critical.patch | 11 +++++++ 3 files changed, 57 insertions(+), 1 deletion(-) create mode 100644 0001-dnd-Prevent-a-possible-segfault.patch create mode 100644 remove-size-allocation-critical.patch diff --git a/0001-dnd-Prevent-a-possible-segfault.patch b/0001-dnd-Prevent-a-possible-segfault.patch new file mode 100644 index 0000000..63d0361 --- /dev/null +++ b/0001-dnd-Prevent-a-possible-segfault.patch @@ -0,0 +1,37 @@ +From 889057a38627acb711ae56852d779925e770d8a0 Mon Sep 17 00:00:00 2001 +From: Matthias Clasen +Date: Wed, 28 Feb 2024 13:10:27 -0500 +Subject: [PATCH] dnd: Prevent a possible segfault + +It is at least theoretically possible that gtk_entry_get_pixel_ranges +will return no ranges, and we should handle that without an +out-of-bounds access or segfault. +--- + gtk/gtkentry.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/gtk/gtkentry.c b/gtk/gtkentry.c +index 4078855c93..a71578218c 100644 +--- a/gtk/gtkentry.c ++++ b/gtk/gtkentry.c +@@ -4724,7 +4724,7 @@ gtk_entry_drag_gesture_update (GtkGestureDrag *gesture, + button = gtk_gesture_single_get_current_button (GTK_GESTURE_SINGLE (gesture)); + gtk_drag_begin_with_coordinates (widget, target_list, actions, + button, (GdkEvent*) event, +- priv->drag_start_x + ranges[0], ++ priv->drag_start_x + (n_ranges > 0 ? ranges[0] : 0), + priv->drag_start_y); + g_free (ranges); + +@@ -9931,7 +9931,7 @@ gtk_entry_drag_begin (GtkWidget *widget, + gtk_entry_get_pixel_ranges (entry, &ranges, &n_ranges); + cairo_surface_get_device_scale (surface, &sx, &sy); + cairo_surface_set_device_offset (surface, +- -(priv->drag_start_x - ranges[0]) * sx, ++ -(priv->drag_start_x - (n_ranges > 0 ? ranges[0] : 0)) * sx, + -(priv->drag_start_y) * sy); + g_free (ranges); + +-- +2.49.0 + diff --git a/gtk3.spec b/gtk3.spec index 7674906..bef614c 100644 --- a/gtk3.spec +++ b/gtk3.spec @@ -19,7 +19,7 @@ Name: gtk3 Version: 3.24.31 -Release: 5%{?dist} +Release: 6%{?dist} Summary: GTK+ graphical user interface library License: LGPLv2+ @@ -39,6 +39,10 @@ Patch3: gtk3-3.24.31-treeview-a11y-leak-fix.patch Patch4: 0001-theme-Reduce-the-height-of-titlebars.patch # https://issues.redhat.com/browse/RHEL-46993 Patch5: 0001-Stop-looking-for-modules-in-cwd.patch +# https://issues.redhat.com/browse/RHEL-22853 +Patch6: 0001-dnd-Prevent-a-possible-segfault.patch +# https://issues.redhat.com/browse/RHEL-4130 +Patch7: remove-size-allocation-critical.patch BuildRequires: pkgconfig(atk) >= %{atk_version} BuildRequires: pkgconfig(atk-bridge-2.0) @@ -306,6 +310,10 @@ gtk-query-immodules-3.0-%{__isa_bits} --update-cache &>/dev/null || : %{_datadir}/installed-tests/ %changelog +* Mon May 12 2025 Matthias Clasen - 3.24.31-6 +- Resolves: RHEL-4130 +- Resolves: RHEL-22853 + * Wed Jul 10 2024 Matthias Clasen - 3.24.31-5 - Stop looking for modules in cwd (CVE-2024-6655) - Resolves: RHEL-46993 diff --git a/remove-size-allocation-critical.patch b/remove-size-allocation-critical.patch new file mode 100644 index 0000000..4fdb26b --- /dev/null +++ b/remove-size-allocation-critical.patch @@ -0,0 +1,11 @@ +diff --git a/gtk/gtkboxgadget.c b/gtk/gtkboxgadget.c +index 3cc94da1de..dba84485d8 100644 +--- a/gtk/gtkboxgadget.c ++++ b/gtk/gtkboxgadget.c +@@ -170,7 +170,6 @@ gtk_box_gadget_distribute (GtkBoxGadget *gadget, + + if G_UNLIKELY (size < 0) + { +- g_critical ("%s: assertion 'size >= 0' failed in %s", G_STRFUNC, G_OBJECT_TYPE_NAME (gtk_css_gadget_get_owner (GTK_CSS_GADGET (gadget)))); + return; + }