From ad371a443526389e54af3743ef9cf6cef9d5adea Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jonas=20=C3=85dahl?= Date: Fri, 20 Jan 2023 15:55:44 +0100 Subject: [PATCH] color-device: Don't write to fields when cancelled Writing to fields (in this case the MetaColorDevice::pending_state) in response to an asynchronous operation that was cancelled means we'll write to an arbitrary memory location, potentially causing segmentation faults or memory corruption. Avoid these segfaults or memory corruption by only updating state if we weren't cancelled. Also avoid trying to dereference the device pointer if we're cancelled. The memory corruption due to this has been causing test flakyness in the monitor unit tests due, which should now hopefully be fixed. Fixes: 19837796fe39b7ab83a10721e0c9d8fb748437c4 Part-of: --- src/backends/meta-color-device.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/src/backends/meta-color-device.c b/src/backends/meta-color-device.c index a3b8700e6..c0a98a46f 100644 --- a/src/backends/meta-color-device.c +++ b/src/backends/meta-color-device.c @@ -367,13 +367,13 @@ on_cd_device_connected (GObject *source_object, MetaColorDevice *color_device = user_data; g_autoptr (GError) error = NULL; - color_device->pending_state &= ~PENDING_CONNECTED; - if (!cd_device_connect_finish (cd_device, res, &error)) { if (g_error_matches (error, G_IO_ERROR, G_IO_ERROR_CANCELLED)) return; + color_device->pending_state &= ~PENDING_CONNECTED; + g_warning ("Failed to connect to colord device %s: %s", color_device->cd_device_id, error->message); @@ -384,6 +384,7 @@ on_cd_device_connected (GObject *source_object, } else { + color_device->pending_state &= ~PENDING_CONNECTED; meta_topic (META_DEBUG_COLOR, "Color device '%s' connected", color_device->cd_device_id); } @@ -423,8 +424,6 @@ ensure_device_profile_cb (GObject *source_object, MetaColorProfile *color_profile; g_autoptr (GError) error = NULL; - color_device->pending_state &= ~PENDING_EDID_PROFILE; - color_profile = meta_color_store_ensure_device_profile_finish (color_store, res, &error); @@ -436,6 +435,7 @@ ensure_device_profile_cb (GObject *source_object, g_warning ("Failed to create device color profile: %s", error->message); + color_device->pending_state &= ~PENDING_EDID_PROFILE; g_cancellable_cancel (color_device->cancellable); meta_color_device_notify_ready (color_device, FALSE); return; @@ -444,6 +444,7 @@ ensure_device_profile_cb (GObject *source_object, meta_topic (META_DEBUG_COLOR, "Color device '%s' generated", color_device->cd_device_id); + color_device->pending_state &= ~PENDING_EDID_PROFILE; g_set_object (&color_device->device_profile, color_profile); if (!meta_color_profile_is_ready (color_profile)) @@ -647,7 +648,7 @@ on_profile_written (GObject *source_object, GFile *file = G_FILE (source_object); g_autoptr (GTask) task = G_TASK (user_data); GenerateProfileData *data = g_task_get_task_data (task); - MetaColorManager *color_manager = data->color_device->color_manager; + MetaColorManager *color_manager; g_autoptr (GError) error = NULL; MetaColorProfile *color_profile; @@ -668,6 +669,7 @@ on_profile_written (GObject *source_object, meta_topic (META_DEBUG_COLOR, "On-disk device profile '%s' updated", g_file_peek_path (file)); + color_manager = data->color_device->color_manager; color_profile = meta_color_profile_new_from_icc (color_manager, g_steal_pointer (&data->cd_icc),