Fix GtkDragSourceInfo disposal

gtk_drag_clear_source_info() immediately unrefs the info attached
to the context (the very same info we're in the process of destroying
in gtk_drag_source_info_free()). If that reference was the last one,
then accessing the info object after that is a use-after-free error.
Also, change the order a bit to first free the event, and only then
unref the context.

Fix this by copying all the fields of the info that we need, and
then working with these copies.

1 files changed, 10 insertions, 4 deletions

diff --git a/gtk/gtkdnd.c b/gtk/gtkdnd.c
index fca79b5d90..dd66413f5d 100644
--- a/gtk/gtkdnd.c
+++ b/gtk/gtkdnd.c
@@ -2768,6 +2768,9 @@ gtk_drag_source_info_free (GtkDragSourceInfo *info)
 static void
 gtk_drag_source_info_destroy (GtkDragSourceInfo *info)
 {
+  GdkDragContext *context;
+  GdkEvent       *last_event;
+
   g_signal_handlers_disconnect_by_func (info->context,
                                         gtk_drag_context_drop_performed_cb,
                                         info);
@@ -2820,12 +2823,15 @@ gtk_drag_source_info_destroy (GtkDragSourceInfo *info)
 
   /* keep the icon_window alive until the (possible) drag cancel animation is done */
   g_object_set_data_full (G_OBJECT (info->context), "former-gtk-source-info", info, (GDestroyNotify)gtk_drag_source_info_free);
+  context = info->context;
+  last_event = info->last_event;
 
-  gtk_drag_clear_source_info (info->context);
-  g_object_unref (info->context);
+  gtk_drag_clear_source_info (context);
 
-  if (info->last_event)
-    gdk_event_free (info->last_event);
+  if (last_event)
+    gdk_event_free (last_event);
+
+  g_object_unref (context);
 }
 
 static gboolean