From 682d6f9ee204bab4ef3c1092e4cd4c1c345367d1 Mon Sep 17 00:00:00 2001 From: Giovanni Campagna Date: Wed, 26 Feb 2014 00:47:11 +0100 Subject: [PATCH] keybindings: fix invalid read after a keybinding is removed The handler pointer is dangling in MetaKeyBinding until rebuild_key_binding_table() is run, so we can't dereference it. Because we only need the flags at ungrab time, store a copy in the MetaKeyBinding structure. https://bugzilla.gnome.org/show_bug.cgi?id=724402 --- src/core/keybindings-private.h | 1 + src/core/keybindings.c | 5 ++++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/src/core/keybindings-private.h b/src/core/keybindings-private.h index 239d462a4..56089057d 100644 --- a/src/core/keybindings-private.h +++ b/src/core/keybindings-private.h @@ -47,6 +47,7 @@ struct _MetaKeyBinding KeyCode keycode; unsigned int mask; MetaVirtualModifier modifiers; + gint flags; MetaKeyHandler *handler; }; diff --git a/src/core/keybindings.c b/src/core/keybindings.c index f7329bd29..3c96b3179 100644 --- a/src/core/keybindings.c +++ b/src/core/keybindings.c @@ -607,6 +607,7 @@ rebuild_binding_table (MetaDisplay *display, (*bindings_p)[i].name = pref->name; (*bindings_p)[i].handler = handler; + (*bindings_p)[i].flags = handler->flags; (*bindings_p)[i].keysym = combo->keysym; (*bindings_p)[i].keycode = combo->keycode; (*bindings_p)[i].modifiers = combo->modifiers; @@ -623,6 +624,7 @@ rebuild_binding_table (MetaDisplay *display, (*bindings_p)[i].name = pref->name; (*bindings_p)[i].handler = handler; + (*bindings_p)[i].flags = handler->flags; (*bindings_p)[i].keysym = combo->keysym; (*bindings_p)[i].keycode = combo->keycode; (*bindings_p)[i].modifiers = combo->modifiers | @@ -649,6 +651,7 @@ rebuild_binding_table (MetaDisplay *display, (*bindings_p)[i].name = grab->name; (*bindings_p)[i].handler = handler; + (*bindings_p)[i].flags = handler->flags; (*bindings_p)[i].keysym = grab->combo->keysym; (*bindings_p)[i].keycode = grab->combo->keycode; (*bindings_p)[i].modifiers = grab->combo->modifiers; @@ -1164,7 +1167,7 @@ change_binding_keygrabs (MetaKeyBinding *bindings, while (i < n_bindings) { if (!!binding_per_window == - !!(bindings[i].handler->flags & META_KEY_BINDING_PER_WINDOW) && + !!(bindings[i].flags & META_KEY_BINDING_PER_WINDOW) && bindings[i].keycode != 0) { meta_change_keygrab (display, xwindow, grab,