From 5ecce8dc19dab33ca2ecee2707441df4baf2ccd3 Mon Sep 17 00:00:00 2001 From: Bad Sector Date: Sun, 27 Aug 2023 06:23:49 +0300 Subject: [PATCH] LCL-GTK2: Fix double free due to wrong refcount during SaveDC/RestoreDC CopyDataFrom copies the FPixmap field directly without updating reference counts for the objects, which in some cases ends up attempting to unref (in the TGtkDeviceContext destructor) an already freed object (this can happen when, e.g., SaveDC/RestoreDC is called twice with the same DC - in the first SaveDC/RestoreDC "pass", RestoreDC deletes the FPixmap object during the saved context destruction and in the second "pass" the object is already destroyed and the program crashes). This patch fixes this by adding calls to ref/unref during CopyDataFrom for the FPixmap. --- lcl/interfaces/gtk2/gtk2devicecontext.inc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lcl/interfaces/gtk2/gtk2devicecontext.inc b/lcl/interfaces/gtk2/gtk2devicecontext.inc index 5b963b4c98..19c00dc75f 100644 --- a/lcl/interfaces/gtk2/gtk2devicecontext.inc +++ b/lcl/interfaces/gtk2/gtk2devicecontext.inc @@ -681,6 +681,8 @@ begin FWithChildWindows := ASource.FWithChildWindows; FDrawable := ASource.FDrawable; + if Assigned(ASource.FPixbuf) then gdk_pixbuf_ref(ASource.FPixbuf); + if Assigned(FPixbuf) then gdk_pixbuf_unref(FPixbuf); FPixbuf := ASource.Pixbuf; FOriginalDrawable := ASource.FOriginalDrawable;