Hi, this PR fixes a use-after-free in codenav's go-to-file. (which often results in a crash)
## Problem:
### How to reproduce
1. Run geany from command line, to observe error messages
2. Enable codenav plugin, open some document (to allow use of go-to tool)
3. Trigger go-to-file tool (e.g. via shortcut)
4. Write `/`
5. Cancel & close dialog
6. Trigger go-to-file again
7. Write `a`
-> You will likely see an assertion fail in the output, or if you are lucky geany will crash altogether:
`gtk_entry_completion_set_model: assertion 'model == NULL || GTK_IS_TREE_MODEL (model)' failed`
Valgrind shows an invalid read to previously freed memory:
<details>
```
Invalid read of size 8
at 0x4DD5820: UnknownInlinedFun (gtkentrycompletion.c:1224)
by 0x4DD5820: gtk_entry_completion_set_model (gtkentrycompletion.c:1220)
by 0xE2E89F3: directory_check (goto_file.c:166)
by 0x5A6B72F: g_closure_invoke (gclosure.c:834)
by 0x5A9AC1A: signal_emit_unlocked_R.isra.0 (gsignal.c:3961)
by 0x5A8B7A1: signal_emit_valist_unlocked (gsignal.c:3520)
by 0x5A8BCAF: g_signal_emit_by_name (gsignal.c:3624)
by 0x4DBAC29: end_change.lto_priv.0 (gtkentry.c:2941)
by 0x4DC6576: gtk_entry_real_insert_text.lto_priv.0 (gtkentry.c:5401)
by 0x5A6B72F: g_closure_invoke (gclosure.c:834)
by 0x5A9AF49: signal_emit_unlocked_R.isra.0 (gsignal.c:3928)
by 0x5A8B7A1: signal_emit_valist_unlocked (gsignal.c:3520)
by 0x5A8BCAF: g_signal_emit_by_name (gsignal.c:3624)
Address 0xd42b8e0 is 96 bytes inside a block of size 136 free'd
at 0x48468CF: free (vg_replace_malloc.c:985)
by 0x5A90164: g_type_free_instance (gtype.c:2023)
by 0x5A7A732: g_object_unref (gobject.c:4475)
by 0x48E5AC9: run_kb (keybindings.c:1334)
by 0x48E5AC9: run_kb (keybindings.c:1325)
by 0x48E67E4: on_key_press_event (keybindings.c:1396)
by 0x4CFA6CC: _gtk_marshal_BOOLEAN__BOXED.part.0 (gtkmarshalers.c:84)
by 0x5A6B72F: g_closure_invoke (gclosure.c:834)
by 0x5A9A895: signal_emit_unlocked_R.isra.0 (gsignal.c:3888)
by 0x5A8B094: signal_emit_valist_unlocked (gsignal.c:3533)
by 0x5A8B9D6: g_signal_emit_valist (gsignal.c:3263)
by 0x5A8BA93: g_signal_emit (gsignal.c:3583)
by 0x4FC2CD4: gtk_widget_event_internal.part.0.lto_priv.0 (gtkwidget.c:7812)
Block was alloc'd at
at 0x484A993: calloc (vg_replace_malloc.c:1595)
by 0x5B2651A: g_malloc0 (gmem.c:133)
by 0x5A96F1B: g_type_create_instance (gtype.c:1923)
by 0x5A7CB10: g_object_new_internal.part.0 (gobject.c:2603)
by 0x5A7E0C6: UnknownInlinedFun (gobject.c:2600)
by 0x5A7E0C6: g_object_new_with_properties (gobject.c:2766)
by 0x5A7F009: g_object_new (gobject.c:2412)
by 0x4E56A25: gtk_list_store_new (gtkliststore.c:426)
by 0xE2E8573: build_file_list (goto_file.c:111)
by 0xE2E86A7: menu_item_activate (goto_file.c:285)
by 0x48E5AC9: run_kb (keybindings.c:1334)
by 0x48E5AC9: run_kb (keybindings.c:1325)
by 0x48E67E4: on_key_press_event (keybindings.c:1396)
by 0x4CFA6CC: _gtk_marshal_BOOLEAN__BOXED.part.0 (gtkmarshalers.c:84)
Invalid read of size 8
at 0x5A92C79: g_type_check_instance_is_a (gtype.c:4133)
by 0x4DD5836: UnknownInlinedFun (gtkentrycompletion.c:1224)
by 0x4DD5836: gtk_entry_completion_set_model (gtkentrycompletion.c:1220)
by 0xE2E89F3: directory_check (goto_file.c:166)
by 0x5A6B72F: g_closure_invoke (gclosure.c:834)
by 0x5A9AC1A: signal_emit_unlocked_R.isra.0 (gsignal.c:3961)
by 0x5A8B7A1: signal_emit_valist_unlocked (gsignal.c:3520)
by 0x5A8BCAF: g_signal_emit_by_name (gsignal.c:3624)
by 0x4DBAC29: end_change.lto_priv.0 (gtkentry.c:2941)
by 0x4DC6576: gtk_entry_real_insert_text.lto_priv.0 (gtkentry.c:5401)
by 0x5A6B72F: g_closure_invoke (gclosure.c:834)
by 0x5A9AF49: signal_emit_unlocked_R.isra.0 (gsignal.c:3928)
by 0x5A8B7A1: signal_emit_valist_unlocked (gsignal.c:3520)
Address 0xd42b8e0 is 96 bytes inside a block of size 136 free'd
at 0x48468CF: free (vg_replace_malloc.c:985)
by 0x5A90164: g_type_free_instance (gtype.c:2023)
by 0x5A7A732: g_object_unref (gobject.c:4475)
by 0x48E5AC9: run_kb (keybindings.c:1334)
by 0x48E5AC9: run_kb (keybindings.c:1325)
by 0x48E67E4: on_key_press_event (keybindings.c:1396)
by 0x4CFA6CC: _gtk_marshal_BOOLEAN__BOXED.part.0 (gtkmarshalers.c:84)
by 0x5A6B72F: g_closure_invoke (gclosure.c:834)
by 0x5A9A895: signal_emit_unlocked_R.isra.0 (gsignal.c:3888)
by 0x5A8B094: signal_emit_valist_unlocked (gsignal.c:3533)
by 0x5A8B9D6: g_signal_emit_valist (gsignal.c:3263)
by 0x5A8BA93: g_signal_emit (gsignal.c:3583)
by 0x4FC2CD4: gtk_widget_event_internal.part.0.lto_priv.0 (gtkwidget.c:7812)
Block was alloc'd at
at 0x484A993: calloc (vg_replace_malloc.c:1595)
by 0x5B2651A: g_malloc0 (gmem.c:133)
by 0x5A96F1B: g_type_create_instance (gtype.c:1923)
by 0x5A7CB10: g_object_new_internal.part.0 (gobject.c:2603)
by 0x5A7E0C6: UnknownInlinedFun (gobject.c:2600)
by 0x5A7E0C6: g_object_new_with_properties (gobject.c:2766)
by 0x5A7F009: g_object_new (gobject.c:2412)
by 0x4E56A25: gtk_list_store_new (gtkliststore.c:426)
by 0xE2E8573: build_file_list (goto_file.c:111)
by 0xE2E86A7: menu_item_activate (goto_file.c:285)
by 0x48E5AC9: run_kb (keybindings.c:1334)
by 0x48E5AC9: run_kb (keybindings.c:1325)
by 0x48E67E4: on_key_press_event (keybindings.c:1396)
by 0x4CFA6CC: _gtk_marshal_BOOLEAN__BOXED.part.0 (gtkmarshalers.c:84)
Gtk-CRITICAL **: 22:43:16.822: gtk_entry_completion_set_model: assertion 'model == NULL || GTK_IS_TREE_MODEL (model)' failed
```
</details>
## Cause
From what I understand, the root cause is here:
https://github.com/geany/geany-plugins/blob/2b897dc56c097551d2214aef9bfe2c9…
The model is saved in `old_model`, but the refcount is not incremented. As soon as the entry is destroyed, the model's refcount drops to 0 and it's deallocated. The (static) `old_model` now points to freed memory. In the next invocation, `gtk_entry_completion_set_model()` will be called with `old_model`, resulting in an invalid read in freed memory.
## Fix
Increment ref count when caching the completion model (what this PR does).
Extra evidence: With this PR applied, add a print for the refcount before gtk_entry_completion_set_model()`, like so:
```c
printf("old model %p refcount %u\n", old_model, ((GObject *) old_model)->ref_count);
gtk_entry_completion_set_model (completion, old_model);
```
This shows a refcount of 1 at that point, so if not for the `g_object_ref()` call added in this PR, this would have been 0, and the model would have been freed.
You can view, comment on, or merge this pull request online at:
https://github.com/geany/geany-plugins/pull/1339
-- Commit Summary --
* codenav: Fix use-after-free in cached completion model
-- File Changes --
M codenav/src/goto_file.c (6)
-- Patch Links --
https://github.com/geany/geany-plugins/pull/1339.patchhttps://github.com/geany/geany-plugins/pull/1339.diff
--
Reply to this email directly or view it on GitHub:
https://github.com/geany/geany-plugins/pull/1339
You are receiving this because you are subscribed to this thread.
Message ID: <geany/geany-plugins/pull/1339(a)github.com>
* Improve documentation
* Add support for webkit2gtk-4.1 (no changes)
* Add a key binding & menu item for loading the current file into the web view (for e.g. static HTML pages)
You can view, comment on, or merge this pull request online at:
https://github.com/geany/geany-plugins/pull/1295
-- Commit Summary --
* webhelper: Improve usage in README
* webhelper: Allow building with webkit2gtk-4.1
* webhelper: Show accelerator in context menu
* webhelper: Add support for loading the current file in the web view
-- File Changes --
M build/webhelper.m4 (11)
M webhelper/README (12)
M webhelper/src/gwh-browser.c (73)
M webhelper/src/gwh-browser.h (5)
M webhelper/src/gwh-keybindings.h (1)
M webhelper/src/gwh-plugin.c (10)
-- Patch Links --
https://github.com/geany/geany-plugins/pull/1295.patchhttps://github.com/geany/geany-plugins/pull/1295.diff
--
Reply to this email directly or view it on GitHub:
https://github.com/geany/geany-plugins/pull/1295
You are receiving this because you are subscribed to this thread.
Message ID: <geany/geany-plugins/pull/1295(a)github.com>
I installed Geany on Linux Peppermint OS based on 32 bits for a very old notebook, it works fine, really huge thanks for this editor.
About the plugins, at the https://plugins.geany.org page does not appear nothing about https://asciidoctor.org. I did realize exists a plugin for `Markdown` to support its syntax and with the respective _preview_ tab.
Pls, could you consider in add a plugin for `Asciidoctor`?
Thanks for your understanding.
--
Reply to this email directly or view it on GitHub:
https://github.com/geany/geany-plugins/issues/1282
You are receiving this because you are subscribed to this thread.
Message ID: <geany/geany-plugins/issues/1282(a)github.com>
If I open Geany and press Ctrl+N start typing a file and save it then click in the text area of the file with my mouse it segfaults... If I spam the mouse in the text area after pressing Ctrl+N also segfaults. I am running gentoo fully up to date compiled from source Geany version 2.0.
```
l33tlinuxh4x0r@Ryzen ~ $ geany -v
(geany:86563): GLib-GIO-DEBUG: 16:38:29.129: Using cross-namespace EXTERNAL authentication (this will deadlock if server is GDBus < 2.73.3)
(geany:86563): GLib-GIO-DEBUG: 16:38:29.131: _g_io_module_get_default: Found default implementation gvfs (GDaemonVfs) for ‘gio-vfs’
Geany-INFO: 16:38:29.148: Geany 2.0, unknown
Geany-INFO: 16:38:29.148: GTK 3.24.41, GLib 2.78.4
Geany-INFO: 16:38:29.148: OS: Gentoo Linux
Geany-INFO: 16:38:29.148: System data dir: /usr/share/geany
Geany-INFO: 16:38:29.148: User config dir: /home/l33tlinuxh4x0r/.config/geany
Geany-INFO: 16:38:29.207: Loaded GTK+ CSS theme '/usr/share/geany/geany.css'
Geany-INFO: 16:38:29.209: System plugin path: /usr/lib64/geany
Geany-INFO: 16:38:29.212: Added filetype Groovy (65).
Geany-INFO: 16:38:29.212: Added filetype Nim (66).
Geany-INFO: 16:38:29.212: Added filetype Meson (67).
Geany-INFO: 16:38:29.212: Added filetype Kotlin (68).
Geany-INFO: 16:38:29.212: Added filetype Scala (69).
Geany-INFO: 16:38:29.212: Added filetype Arduino (70).
Geany-INFO: 16:38:29.212: Added filetype CUDA (71).
Geany-INFO: 16:38:29.212: Added filetype JSON (72).
Geany-INFO: 16:38:29.212: Added filetype TypeScript (73).
Geany-INFO: 16:38:29.212: Added filetype Graphviz (74).
Geany-INFO: 16:38:29.212: Added filetype Clojure (75).
Geany-INFO: 16:38:29.212: Added filetype Genie (76).
Geany-INFO: 16:38:29.212: Added filetype Cython (77).
Geany-INFO: 16:38:29.212: Added filetype Swift (78).
Geany-INFO: 16:38:29.218: Loaded libvte from libvte-2.91.so
Geany-INFO: 16:38:29.219: Loaded: /usr/lib64/geany/overview.so (Overview)
Geany-INFO: 16:38:29.226: /home/l33tlinuxh4x0r/work.py : Python (UTF-8)
Geany-INFO: 16:38:29.234: Loaded /usr/share/geany/tags/std.py.tags (Python), 15267 symbol(s).
Geany-INFO: 16:38:29.252: /home/l33tlinuxh4x0r/work2.py : Python (UTF-8)
Geany-INFO: 16:38:29.255: /home/l33tlinuxh4x0r/work3.py : Python (UTF-8)
Geany-INFO: 16:38:29.257: /home/l33tlinuxh4x0r/work4.py : Python (UTF-8)
Geany-INFO: 16:38:29.259: /home/l33tlinuxh4x0r/work5.py : Python (UTF-8)
Geany-INFO: 16:38:29.261: /home/l33tlinuxh4x0r/work6.py : Python (UTF-8)
Geany-INFO: 16:38:29.264: /home/l33tlinuxh4x0r/work7.py : Python (UTF-8)
Geany-INFO: 16:38:29.267: /home/l33tlinuxh4x0r/work8.py : Python (UTF-8)
(geany:86563): GLib-DEBUG: 16:38:29.372: g_unix_open_pipe() called with FD_CLOEXEC; please migrate to using O_CLOEXEC instead
Geany-INFO: 16:38:33.653: unknown : None (UTF-8)
(geany:86563): GLib-GIO-DEBUG: 16:38:38.122: Using cross-namespace EXTERNAL authentication (this will deadlock if server is GDBus < 2.73.3)
(geany:86563): GLib-GIO-DEBUG: 16:38:38.146: _g_io_module_get_default: Found default implementation dconf (DConfSettingsBackend) for ‘gsettings-backend’
(geany:86563): dconf-DEBUG: 16:38:38.146: watch_fast: "/org/gtk/settings/file-chooser/" (establishing: 0, active: 0)
(geany:86563): dconf-DEBUG: 16:38:38.146: watch_established: "/org/gtk/settings/file-chooser/" (establishing: 1)
Geany-INFO: 16:38:41.194: /home/l33tlinuxh4x0r/broken.py : Python (UTF-8)
Geany-INFO: 16:38:41.195: /home/l33tlinuxh4x0r/broken.py : Python (UTF-8)
(geany:86563): dconf-DEBUG: 16:38:41.196: change_fast
Segmentation fault (core dumped)
```
gdb says the exact same thing every time I reproduce this bug.
```
0x00007ffff78d014e in free () from /usr/lib64/libc.so.6
```
Does anyone know why this is happening and or have a fix?
--
Reply to this email directly or view it on GitHub:
https://github.com/geany/geany/issues/3857
You are receiving this because you are subscribed to this thread.
Message ID: <geany/geany/issues/3857(a)github.com>
If I open a new file temporarily to look at something and then close it immediately, the new file will open on a tab on the right of the current one, and when I close it Geany will focus on the tab on the right of this one, not on the one I originally had open which is the one on the left.
This could be solved if Geany defaulted to moving to the tab on the **left** when I close the currently active tab, instead of the tab on the right as it does now.
(This is assuming the user has their preferences set to "Open new tabs on the right of the current tab"; if they set them to open new tabs on the left, then the behavior should be mirrored and Geany should switch to the tab on the right.)
Alternatively, it could simply switch to the last open tab (emulating the behavior of Ctrl-Tab).
--
Reply to this email directly or view it on GitHub:
https://github.com/geany/geany/issues/3855
You are receiving this because you are subscribed to this thread.
Message ID: <geany/geany/issues/3855(a)github.com>
I'm using Geany 1.38 in an Arch system with a LXQt DE and I would like to use the LXQt file chooser, which it's possible if the application uses [XDG desktop portal](https://flatpak.github.io/xdg-desktop-portal/#gdbus-org.freedesktop.portal.FileChooser).
--
Reply to this email directly or view it on GitHub:
https://github.com/geany/geany/issues/3458
You are receiving this because you are subscribed to this thread.
Message ID: <geany/geany/issues/3458(a)github.com>
Supported commands are:
za / zo / zc toggle / open / close fold on one level of folding
zA / zO / zC toggle / open / close fold on all folding levels
zR / zM open / close all folds
You can view, comment on, or merge this pull request online at:
https://github.com/geany/geany-plugins/pull/1327
-- Commit Summary --
* Implement fold in vimode plugin
-- File Changes --
M vimode/src/cmd-runner.c (9)
M vimode/src/cmds/edit.c (45)
M vimode/src/cmds/edit.h (12)
-- Patch Links --
https://github.com/geany/geany-plugins/pull/1327.patchhttps://github.com/geany/geany-plugins/pull/1327.diff
--
Reply to this email directly or view it on GitHub:
https://github.com/geany/geany-plugins/pull/1327
You are receiving this because you are subscribed to this thread.
Message ID: <geany/geany-plugins/pull/1327(a)github.com>
Fix cursor hang when we want to move cursor on top line and this line is folded
To reproduce the problem, when vimode plugin is enabled:
Fold a few lines by clicking the "minus" icon.
Move the cursor to the bottom of these lines and try to move back to the top.
The cursor doesn't go back and seem to hang.
You can view, comment on, or merge this pull request online at:
https://github.com/geany/geany-plugins/pull/1326
-- Commit Summary --
* Fix cursor hang when we want to move cursor on top line and this line is folded
-- File Changes --
M vimode/src/cmds/motion.c (2)
-- Patch Links --
https://github.com/geany/geany-plugins/pull/1326.patchhttps://github.com/geany/geany-plugins/pull/1326.diff
--
Reply to this email directly or view it on GitHub:
https://github.com/geany/geany-plugins/pull/1326
You are receiving this because you are subscribed to this thread.
Message ID: <geany/geany-plugins/pull/1326(a)github.com>