From 9d133d8ebbf9d99db0a02eaa6843c7e43cdec480 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Florian=20M=C3=BCllner?= <fmuellner@gnome.org>
Date: Tue, 20 Feb 2018 17:23:16 +0100
Subject: [PATCH] st: Guard against spec being invalided during shadow creation

If an actor is pending a relaying when get_allocation_box() is called,
the method forces an allocation update. In case of StWidget, this might
then result in a style update and a consecutive invalidation of the
shadow spec - we will then try to create a shadow specified by random
memory, with undefined (though likely fatal) consequences.

Guard against this by taking a temporary reference during the function
call.

https://bugzilla.gnome.org/show_bug.cgi?id=788908
---
 src/st/st-private.c | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/src/st/st-private.c b/src/st/st-private.c
index be78833e7..df94751bf 100644
--- a/src/st/st-private.c
+++ b/src/st/st-private.c
@@ -417,11 +417,17 @@ _st_create_shadow_pipeline_from_actor (StShadow     *shadow_spec,
   ClutterActorBox box;
   float width, height;
 
+  /* Querying the actor's allocation may force an allocation update, which
+   * may cause a style update, which then may invalidate shadow_spec; make
+   * sure the spec is kept alive by taking a temporary reference
+   */
+  st_shadow_spec_ref (shadow_spec);
+
   clutter_actor_get_allocation_box (actor, &box);
   clutter_actor_box_get_size (&box, &width, &height);
 
   if (width == 0 || height == 0)
-    return NULL;
+    goto out;
 
   if (CLUTTER_IS_TEXTURE (actor))
     {
@@ -448,7 +454,7 @@ _st_create_shadow_pipeline_from_actor (StShadow     *shadow_spec,
                                            COGL_PIXEL_FORMAT_ANY);
 
       if (buffer == NULL)
-        return NULL;
+        goto out;
 
       offscreen = cogl_offscreen_new_with_texture (buffer);
       fb = COGL_FRAMEBUFFER (offscreen);
@@ -458,7 +464,7 @@ _st_create_shadow_pipeline_from_actor (StShadow     *shadow_spec,
           cogl_error_free (catch_error);
           cogl_object_unref (offscreen);
           cogl_object_unref (buffer);
-          return NULL;
+          goto out;
         }
 
       cogl_color_init_from_4ub (&clear_color, 0, 0, 0, 0);
@@ -488,6 +494,8 @@ _st_create_shadow_pipeline_from_actor (StShadow     *shadow_spec,
       cogl_object_unref (buffer);
     }
 
+  st_shadow_spec_unref (shadow_spec);
+
   return shadow_pipeline;
 }