Use-after-free in mousepad_file_autosave_schedule
Description
I triggered this use-after-free while testing xfce/libxfce4ui!154 (merged).
I was repeatedly pasting URLs onto the same long line in mousepad. This caused mousepad to get slower, so I closed the application and discarded all changes. It looks like some clipboard data was received after that discard.
Backtrace
ERROR: AddressSanitizer: heap-use-after-free on address 0x50d000065d68 at pc 0x73db36eeee13 bp 0x7ffed8803730 sp 0x7ffed8803720
READ of size 8 at 0x50d000065d68 thread T0
#0 0x73db36eeee12 in mousepad_file_autosave_schedule mousepad/mousepad-file.c:1434
#1 0x73db3596c4ac in g_cclosure_marshal_VOID__VOID gobject/gmarshal.c:117
#2 0x73db35962d09 in g_closure_invoke gobject/gclosure.c:833
#3 0x73db359b7691 in signal_emit_unlocked_R gobject/gsignal.c:3902
#4 0x73db359bca23 in signal_emit_valist_unlocked gobject/gsignal.c:3534
#5 0x73db359cb2d3 in g_signal_emit_valist gobject/gsignal.c:3277
#6 0x73db359cb3fc in g_signal_emit gobject/gsignal.c:3597
#7 0x73db33dd4a16 in gtk_text_buffer_real_insert_text gtk/gtktextbuffer.c:916
#8 0x73db371871a4 (/usr/lib/libgtksourceview-4.so.0+0x1e1a4)
#9 0x73db33932744 in _gtk_marshal_VOID__BOXED_STRING_INT gtk/gtkmarshalers.c:3468
#10 0x73db3595a850 in g_type_class_meta_marshal gobject/gclosure.c:1034
#11 0x73db35962d09 in g_closure_invoke gobject/gclosure.c:833
#12 0x73db359b7bb4 in signal_emit_unlocked_R gobject/gsignal.c:3942
#13 0x73db359bca23 in signal_emit_valist_unlocked gobject/gsignal.c:3534
#14 0x73db359cb2d3 in g_signal_emit_valist gobject/gsignal.c:3277
#15 0x73db359cb3fc in g_signal_emit gobject/gsignal.c:3597
#16 0x73db33dd4b31 in gtk_text_buffer_emit_insert gtk/gtktextbuffer.c:937
#17 0x73db33ddd4ae in gtk_text_buffer_insert_interactive gtk/gtktextbuffer.c:1029
#18 0x73db33ddf744 in clipboard_text_received gtk/gtktextbuffer.c:3435
#19 0x73db33fab21b in request_text_received_func gtk/gtkclipboard.c:1068
#20 0x73db33fa945e in selection_received gtk/gtkclipboard.c:960
#21 0x73db3393316b in _gtk_marshal_VOID__BOXED_UINTv gtk/gtkmarshalers.c:3608
#22 0x73db359638ee in _g_closure_invoke_va gobject/gclosure.c:896
#23 0x73db359ba74f in signal_emit_valist_unlocked gobject/gsignal.c:3438
#24 0x73db359cb79f in g_signal_emit_by_name gobject/gsignal.c:3638
#25 0x73db33d6300b in gtk_selection_retrieval_report gtk/gtkselection.c:3190
#26 0x73db33d6c5d8 in _gtk_selection_notify gtk/gtkselection.c:2994
#27 0x73db339263a2 in _gtk_marshal_BOOLEAN__BOXEDv gtk/gtkmarshalers.c:130
#28 0x73db3595a263 in g_type_class_meta_marshalv gobject/gclosure.c:1061
#29 0x73db359638ee in _g_closure_invoke_va gobject/gclosure.c:896
#30 0x73db359ba74f in signal_emit_valist_unlocked gobject/gsignal.c:3438
#31 0x73db359cb2d3 in g_signal_emit_valist gobject/gsignal.c:3277
#32 0x73db359cb3fc in g_signal_emit gobject/gsignal.c:3597
#33 0x73db33f1d940 in gtk_widget_event_internal gtk/gtkwidget.c:7827
#34 0x73db33f23e8f in gtk_widget_event gtk/gtkwidget.c:7397
#35 0x73db33c39a77 in gtk_main_do_event gtk/gtkmain.c:1861
#36 0x73db330a6286 in _gdk_event_emit gdk/gdkevents.c:73
#37 0x73db3315fbe2 in gdk_event_source_dispatch gdk/x11/gdkeventsource.c:367
#38 0x73db34a9eb58 in g_main_dispatch glib/gmain.c:3398
#39 0x73db34a9eb58 in g_main_context_dispatch_unlocked glib/gmain.c:4249
#40 0x73db34aaba94 in g_main_context_iterate_unlocked glib/gmain.c:4314
#41 0x73db34aac70d in g_main_context_iteration glib/gmain.c:4379
#42 0x73db36435f58 in g_application_run gio/gapplication.c:2746
#43 0x5e0f09f8227d in main mousepad/main.c:50
0x50d000065d68 is located 24 bytes inside of 144-byte region [0x50d000065d50,0x50d000065de0)
freed by thread T0 here:
#0 0x73db372fc102 in free /usr/src/debug/gcc/gcc/libsanitizer/asan/asan_malloc_linux.cpp:52
#1 0x73db34ac9bad in g_free_sized glib/gmem.c:238
#2 0x73db359e41f6 in g_type_free_instance gobject/gtype.c:1980
#3 0x73db3597e743 in g_object_unref gobject/gobject.c:4525
#4 0x73db36ee0dec in mousepad_document_finalize mousepad/mousepad-document.c:324
#5 0x73db3597e701 in g_object_unref gobject/gobject.c:4509
#6 0x73db33a556ad in gtk_container_remove gtk/gtkcontainer.c:1911
#7 0x73db33c97ec3 in gtk_notebook_remove_page gtk/gtknotebook.c:6683
#8 0x73db36f37e19 in mousepad_window_close_document mousepad/mousepad-window.c:2443
#9 0x73db36f384c1 in mousepad_window_action_close_window mousepad/mousepad-window.c:5030
#10 0x73db35972b09 in g_cclosure_marshal_VOID__VARIANT gobject/gmarshal.c:1964
#11 0x73db35962d09 in g_closure_invoke gobject/gclosure.c:833
#12 0x73db359b7691 in signal_emit_unlocked_R gobject/gsignal.c:3902
#13 0x73db359bca23 in signal_emit_valist_unlocked gobject/gsignal.c:3534
#14 0x73db359cb2d3 in g_signal_emit_valist gobject/gsignal.c:3277
#15 0x73db359cb3fc in g_signal_emit gobject/gsignal.c:3597
#16 0x73db3645696c in g_simple_action_activate gio/gsimpleaction.c:215
#17 0x73db36451597 in g_action_activate gio/gaction.c:380
#18 0x73db364480c2 in g_simple_action_group_activate gio/gsimpleactiongroup.c:140
#19 0x73db36445a53 in g_action_group_activate_action gio/gactiongroup.c:624
#20 0x73db33989499 in gtk_application_window_activate_action gtk/gtkapplicationwindow.c:447
#21 0x73db36445a53 in g_action_group_activate_action gio/gactiongroup.c:624
#22 0x73db36f271d1 in mousepad_window_delete_event mousepad/mousepad-window.c:1469
#23 0x73db339263a2 in _gtk_marshal_BOOLEAN__BOXEDv gtk/gtkmarshalers.c:130
#24 0x73db3595a263 in g_type_class_meta_marshalv gobject/gclosure.c:1061
#25 0x73db359638ee in _g_closure_invoke_va gobject/gclosure.c:896
#26 0x73db359ba74f in signal_emit_valist_unlocked gobject/gsignal.c:3438
#27 0x73db359cb2d3 in g_signal_emit_valist gobject/gsignal.c:3277
#28 0x73db359cb3fc in g_signal_emit gobject/gsignal.c:3597
#29 0x73db33f1d940 in gtk_widget_event_internal gtk/gtkwidget.c:7827
#30 0x73db33f23e8f in gtk_widget_event gtk/gtkwidget.c:7397
#31 0x73db33c39b82 in gtk_main_do_event gtk/gtkmain.c:1823
#32 0x73db330a6286 in _gdk_event_emit gdk/gdkevents.c:73
#33 0x73db3315fbe2 in gdk_event_source_dispatch gdk/x11/gdkeventsource.c:367
#34 0x73db34a9eb58 in g_main_dispatch glib/gmain.c:3398
#35 0x73db34a9eb58 in g_main_context_dispatch_unlocked glib/gmain.c:4249
#36 0x73db34aaba94 in g_main_context_iterate_unlocked glib/gmain.c:4314
#37 0x73db34aad1f3 in g_main_loop_run glib/gmain.c:4516
#38 0x73db33fabcfc in gtk_clipboard_wait_for_contents gtk/gtkclipboard.c:1436
#39 0x73db33facae6 in gtk_clipboard_wait_is_rich_text_available gtk/gtkclipboard.c:1759
#40 0x73db33de047b in clipboard_clipboard_buffer_received gtk/gtktextbuffer.c:3658
#41 0x73db33fa945e in selection_received gtk/gtkclipboard.c:960
#42 0x73db3393316b in _gtk_marshal_VOID__BOXED_UINTv gtk/gtkmarshalers.c:3608
#43 0x73db359638ee in _g_closure_invoke_va gobject/gclosure.c:896
#44 0x73db359ba74f in signal_emit_valist_unlocked gobject/gsignal.c:3438
#45 0x73db359cb79f in g_signal_emit_by_name gobject/gsignal.c:3638
#46 0x73db33d6300b in gtk_selection_retrieval_report gtk/gtkselection.c:3190
#47 0x73db33d6c6df in _gtk_selection_notify gtk/gtkselection.c:2969
#48 0x73db339263a2 in _gtk_marshal_BOOLEAN__BOXEDv gtk/gtkmarshalers.c:130
#49 0x73db3595a263 in g_type_class_meta_marshalv gobject/gclosure.c:1061
#50 0x73db3596326e in _g_closure_invoke_va gobject/gclosure.c:896
#51 0x73db359ba74f in signal_emit_valist_unlocked gobject/gsignal.c:3438
#52 0x73db359cb2d3 in g_signal_emit_valist gobject/gsignal.c:3277
#53 0x73db359cb3fc in g_signal_emit gobject/gsignal.c:3597
#54 0x73db33f1d940 in gtk_widget_event_internal gtk/gtkwidget.c:7827
#55 0x73db33f23e8f in gtk_widget_event gtk/gtkwidget.c:7397
#56 0x73db33c39a77 in gtk_main_do_event gtk/gtkmain.c:1861
#57 0x73db330a6286 in _gdk_event_emit gdk/gdkevents.c:73
#58 0x73db3315fbe2 in gdk_event_source_dispatch gdk/x11/gdkeventsource.c:367
#59 0x73db34a9eb58 in g_main_dispatch glib/gmain.c:3398
#60 0x73db34a9eb58 in g_main_context_dispatch_unlocked glib/gmain.c:4249
#61 0x73db34aaba94 in g_main_context_iterate_unlocked glib/gmain.c:4314
#62 0x73db34aad1f3 in g_main_loop_run glib/gmain.c:4516
#63 0x73db33fabcfc in gtk_clipboard_wait_for_contents gtk/gtkclipboard.c:1436
#64 0x73db33facae6 in gtk_clipboard_wait_is_rich_text_available gtk/gtkclipboard.c:1759
#65 0x73db33de047b in clipboard_clipboard_buffer_received gtk/gtktextbuffer.c:3658
#66 0x73db33fa945e in selection_received gtk/gtkclipboard.c:960
#67 0x73db3393316b in _gtk_marshal_VOID__BOXED_UINTv gtk/gtkmarshalers.c:3608
#68 0x73db359638ee in _g_closure_invoke_va gobject/gclosure.c:896
#69 0x73db359ba74f in signal_emit_valist_unlocked gobject/gsignal.c:3438
#70 0x73db359cb79f in g_signal_emit_by_name gobject/gsignal.c:3638
#71 0x73db33d6300b in gtk_selection_retrieval_report gtk/gtkselection.c:3190
#72 0x73db33d6c6df in _gtk_selection_notify gtk/gtkselection.c:2969
#73 0x73db339263a2 in _gtk_marshal_BOOLEAN__BOXEDv gtk/gtkmarshalers.c:130
#74 0x73db3595a263 in g_type_class_meta_marshalv gobject/gclosure.c:1061
#75 0x73db359638ee in _g_closure_invoke_va gobject/gclosure.c:896
#76 0x73db359ba74f in signal_emit_valist_unlocked gobject/gsignal.c:3438
#77 0x73db359cb2d3 in g_signal_emit_valist gobject/gsignal.c:3277
#78 0x73db359cb3fc in g_signal_emit gobject/gsignal.c:3597
#79 0x73db33f1d940 in gtk_widget_event_internal gtk/gtkwidget.c:7827
#80 0x73db33f23e8f in gtk_widget_event gtk/gtkwidget.c:7397
#81 0x73db33c39a77 in gtk_main_do_event gtk/gtkmain.c:1861
#82 0x73db330a6286 in _gdk_event_emit gdk/gdkevents.c:73
#83 0x73db3315fbe2 in gdk_event_source_dispatch gdk/x11/gdkeventsource.c:367
#84 0x73db34a9eb58 in g_main_dispatch glib/gmain.c:3398
#85 0x73db34a9eb58 in g_main_context_dispatch_unlocked glib/gmain.c:4249
#86 0x73db34aaba94 in g_main_context_iterate_unlocked glib/gmain.c:4314
#87 0x73db34aac70d in g_main_context_iteration glib/gmain.c:4379
#88 0x73db36435b7e in g_application_run gio/gapplication.c:2715
#89 0x5e0f09f8227d in main mousepad/main.c:50
previously allocated by thread T0 here:
#0 0x73db372fd02a in calloc /usr/src/debug/gcc/gcc/libsanitizer/asan/asan_malloc_linux.cpp:77
#1 0x73db34ac9b11 in g_malloc0 glib/gmem.c:133
#2 0x73db359e9a56 in g_type_create_instance gobject/gtype.c:1883
#3 0x73db359812ca in g_object_new_internal gobject/gobject.c:2629
#4 0x73db35986661 in g_object_new_with_properties gobject/gobject.c:2792
#5 0x73db359889b6 in g_object_new gobject/gobject.c:2438
#6 0x73db36ef3b84 in mousepad_file_new mousepad/mousepad-file.c:310
#7 0x73db36ee016e in mousepad_document_init mousepad/mousepad-document.c:280
#8 0x73db359ea93c in g_type_create_instance gobject/gtype.c:1901
#9 0x73db359812ca in g_object_new_internal gobject/gobject.c:2629
#10 0x73db35986661 in g_object_new_with_properties gobject/gobject.c:2792
#11 0x73db359889b6 in g_object_new gobject/gobject.c:2438
#12 0x73db36ee321b in mousepad_document_new mousepad/mousepad-document.c:115
#13 0x73db36f41901 in mousepad_window_action_new mousepad/mousepad-window.c:4377
#14 0x73db35972b09 in g_cclosure_marshal_VOID__VARIANT gobject/gmarshal.c:1964
#15 0x73db35962d09 in g_closure_invoke gobject/gclosure.c:833
#16 0x73db359b7691 in signal_emit_unlocked_R gobject/gsignal.c:3902
#17 0x73db359bca23 in signal_emit_valist_unlocked gobject/gsignal.c:3534
#18 0x73db359cb2d3 in g_signal_emit_valist gobject/gsignal.c:3277
#19 0x73db359cb3fc in g_signal_emit gobject/gsignal.c:3597
#20 0x73db3645696c in g_simple_action_activate gio/gsimpleaction.c:215
#21 0x73db36451597 in g_action_activate gio/gaction.c:380
#22 0x73db364480c2 in g_simple_action_group_activate gio/gsimpleactiongroup.c:140
#23 0x73db36445a53 in g_action_group_activate_action gio/gactiongroup.c:624
#24 0x73db33989499 in gtk_application_window_activate_action gtk/gtkapplicationwindow.c:447
#25 0x73db36445a53 in g_action_group_activate_action gio/gactiongroup.c:624
#26 0x73db36ed469e in mousepad_application_activate mousepad/mousepad-application.c:1137
#27 0x73db3596c67f in g_cclosure_marshal_VOID__VOIDv gobject/gmarshal.c:165
#28 0x73db3595a263 in g_type_class_meta_marshalv gobject/gclosure.c:1061
#29 0x73db359638ee in _g_closure_invoke_va gobject/gclosure.c:896
#30 0x73db359ba74f in signal_emit_valist_unlocked gobject/gsignal.c:3438
#31 0x73db359cb2d3 in g_signal_emit_valist gobject/gsignal.c:3277
#32 0x73db359cb3fc in g_signal_emit gobject/gsignal.c:3597
#33 0x73db36433844 in g_application_activate gio/gapplication.c:2454
#34 0x73db36ed5965 in mousepad_application_command_line mousepad/mousepad-application.c:1097
#35 0x73db362e020f in _g_cclosure_marshal_INT__OBJECTv gio/gmarshal-internal.c:847
#36 0x73db3595a263 in g_type_class_meta_marshalv gobject/gclosure.c:1061
#37 0x73db359638ee in _g_closure_invoke_va gobject/gclosure.c:896
#38 0x73db359ba74f in signal_emit_valist_unlocked gobject/gsignal.c:3438
#39 0x73db359cb2d3 in g_signal_emit_valist gobject/gsignal.c:3277
#40 0x73db359cb3fc in g_signal_emit gobject/gsignal.c:3597
#41 0x73db364295b8 in g_application_call_command_line gio/gapplication.c:1103
#42 0x73db364349b7 in g_application_real_local_command_line gio/gapplication.c:1179
#43 0x73db3398303b in gtk_application_local_command_line gtk/gtkapplication.c:343
#44 0x73db36435442 in g_application_run gio/gapplication.c:2684
#45 0x5e0f09f8227d in main mousepad/main.c:50Version info
59ae150c compiled on Arch Linux