From 3bf948cc2618632aaaaabefae1b1be50d5a607c3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ga=C3=ABl=20Bonithon?= <gael@xfce.org>
Date: Sun, 16 Apr 2023 17:55:54 +0200
Subject: [PATCH] tasklist: Fix use-after-free on tasklist child

This was running smoothly since 2010 but the update to GLib 2.76, which
makes g_slice_free() a simple wrapper around g_free_sized(), revealed
this bug.

Fixes: #730
(cherry picked from commit a5a289ede6c2175b97059ead5d63a59dbde04ea0)
---
 plugins/tasklist/tasklist-widget.c | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/plugins/tasklist/tasklist-widget.c b/plugins/tasklist/tasklist-widget.c
index 24dfdb7db..c0095d70d 100644
--- a/plugins/tasklist/tasklist-widget.c
+++ b/plugins/tasklist/tasklist-widget.c
@@ -1501,6 +1501,15 @@ xfce_tasklist_scroll_event (GtkWidget      *widget,
 
 
 
+static gboolean
+xfce_tasklist_free_child (gpointer data)
+{
+  g_slice_free (XfceTasklistChild, data);
+  return FALSE;
+}
+
+
+
 static void
 xfce_tasklist_remove (GtkContainer *container,
                       GtkWidget    *widget)
@@ -1528,7 +1537,10 @@ xfce_tasklist_remove (GtkContainer *container,
           if (child->pixbuf != NULL)
             g_object_unref (child->pixbuf);
 
-          g_slice_free (XfceTasklistChild, child);
+          /* allow time for signal handlers connected to the destroy/dispose signals of
+           * child members to run, they could refer to these members via child, e.g.
+           * child->button as above to test for equality */
+          g_idle_add (xfce_tasklist_free_child, child);
 
           /* queue a resize if needed */
           if (G_LIKELY (was_visible))
-- 
GitLab