Fix use after free when returned objects hold only one ref

It seems that not all code expects atk_object_ref_accessible_child()
returning NULL, neither that it can return an object with only one
reference, thus the following unref in the code can cause use-after-free
eventually.

At least the chunk in impl_GetChildAtIndex() avoids runtime warning about
invalid object being passed to g_object_unref(), which happened, in this
case, when evolution returned NULL. Evolution returns objects with one
reference only often, which tries to address the other chunks here.

https://bugzilla.gnome.org/show_bug.cgi?id=781716

diff --git a/atk-adaptor/adaptors/accessible-adaptor.c b/atk-adaptor/adaptors/accessible-adaptor.c
index 058b11698a30ebdabe2745d52ae4c5bd7439b856..572e4f89bebec33b19fe1d19bc7a6406a7b31570 100644 (file)
--- a/atk-adaptor/adaptors/accessible-adaptor.c
+++ b/atk-adaptor/adaptors/accessible-adaptor.c
@@ -182,7 +182,8 @@ impl_GetChildAtIndex (DBusConnection * bus,
     }
   child = atk_object_ref_accessible_child (object, i);
   reply = spi_object_return_reference (message, child);
-  g_object_unref (child);
+  if (child)
+    g_object_unref (child);
 
   return reply;
 }

diff --git a/atk-adaptor/adaptors/collection-adaptor.c b/atk-adaptor/adaptors/collection-adaptor.c
index 42ea073bfa39a66aae3a4b73479f59062e3283db..b57c5f6cf8a5226cc2ed2c5fcccd20a98adc7fea 100644 (file)
--- a/atk-adaptor/adaptors/collection-adaptor.c
+++ b/atk-adaptor/adaptors/collection-adaptor.c
@@ -494,9 +494,12 @@ sort_order_canonical (MatchRulePrivate * mrp, GList * ls,
     {
       AtkObject *child = atk_object_ref_accessible_child (obj, i);
 
-      g_object_unref (child);
+      if (!child)
+        continue;
+
       if (prev && child == pobj)
         {
+          g_object_unref (child);
           return kount;
         }
 
@@ -517,6 +520,7 @@ sort_order_canonical (MatchRulePrivate * mrp, GList * ls,
         kount = sort_order_canonical (mrp, ls, kount,
                                       max, child, 0, TRUE,
                                       pobj, recurse, traverse);
+      g_object_unref (child);
     }
   return kount;
 }
@@ -559,19 +563,23 @@ sort_order_rev_canonical (MatchRulePrivate * mrp, GList * ls,
          and get it's last descendant.
          First, get the previous sibling */
       nextobj = atk_object_ref_accessible_child (parent, indexinparent - 1);
-      g_object_unref (nextobj);
 
       /* Now, drill down the right side to the last descendant */
-      while (atk_object_get_n_accessible_children (nextobj) > 0)
+      while (nextobj && atk_object_get_n_accessible_children (nextobj) > 0)
         {
-          nextobj = atk_object_ref_accessible_child (nextobj,
+         AtkObject *follow;
+
+          follow = atk_object_ref_accessible_child (nextobj,
                                                      atk_object_get_n_accessible_children
                                                      (nextobj) - 1);
           g_object_unref (nextobj);
+         nextobj = follow;
         }
       /* recurse with the last descendant */
       kount = sort_order_rev_canonical (mrp, ls, kount, max,
                                         nextobj, TRUE, pobj);
+      if (nextobj)
+        g_object_unref (nextobj);
     }
   else if (max == 0 || kount < max)
     {