gnucash maint: Fix use-after-free crash in gnc_set_busy_cursor.

[John Ralls]

Updated	 via  https://github.com/Gnucash/gnucash/commit/0d0ab002 (commit)
	from  https://github.com/Gnucash/gnucash/commit/70abdbd1 (commit)



commit 0d0ab002f5c817253940b96532cdd1847314976c
Author: John Ralls <jralls at ceridwen.us>
Date:   Mon Aug 29 12:47:38 2022 -0700

    Fix use-after-free crash in gnc_set_busy_cursor.

diff --git a/gnucash/gnome-utils/cursors.c b/gnucash/gnome-utils/cursors.c
index e787a0525..5a626a141 100644
--- a/gnucash/gnome-utils/cursors.c
+++ b/gnucash/gnome-utils/cursors.c
@@ -83,9 +83,16 @@ gnc_set_busy_cursor (GtkWidget *w, gboolean update_now)
         gnc_ui_set_cursor (gtk_widget_get_window(w), GNC_CURSOR_BUSY, update_now);
     else
     {
-        GList *containerstop, *node;
-
-        for (containerstop = node = gtk_window_list_toplevels (); node; node = node->next)
+        /* gnc_ui_set_cursor runs the event loop and if there's an
+         * idle waiting that destroys a toplevel further down the list
+         * then we'll get a use after free crash unless we have our
+         * own reference, so take a reference to all of the toplevels
+         * and release them all after the loop finishes.
+         */
+        GList *containerstop = gtk_window_list_toplevels (), *node;
+        g_list_foreach (containerstop, (GFunc)g_object_ref, NULL);
+
+        for (node = containerstop; node; node = node->next)
         {
             w = node->data;
 
@@ -94,7 +101,7 @@ gnc_set_busy_cursor (GtkWidget *w, gboolean update_now)
 
             gnc_ui_set_cursor (gtk_widget_get_window(w), GNC_CURSOR_BUSY, update_now);
         }
-        g_list_free (containerstop);
+        g_list_free_full (containerstop, (GDestroyNotify)g_object_unref);
     }
 }
 



Summary of changes:
 gnucash/gnome-utils/cursors.c | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)