Skip to content

Use-after-free when closing window during bulk rename

Version information

6a821745 on Arch Linux

Steps to reproduce

  1. mkdir bulk-renames
  2. touch bulk-renames/{1..1000}
  3. thunar bulk-renames
  4. Select all the files
  5. F2
  6. Choose any valid replacement pattern like Insert Date / Time
  7. Press Rename
  8. Quickly close the parent Thunar window

Current behavior

Crash

Expected outcome

No crash. Maybe the window should prevent closing?

Backtrace

ERROR: AddressSanitizer: heap-use-after-free on address 0x5140000db770 at pc 0x7219e4de4dd6 bp 0x7ffe4f236d20 sp 0x7ffe4f236d18
READ of size 8 at 0x5140000db770 thread T0
    #0 0x7219e4de4dd5 in gtk_widget_hide gtk/gtkwidget.c:4930:3
    #1 0x5b555e526da0 in thunar_renamer_dialog_response thunar/thunar/thunar-renamer-dialog.c:824:7
    #2 0x7219e3bc8e8c in g_cclosure_marshal_VOID__INTv /usr/src/debug/glib2/build/../glib/gobject/gmarshal.c:596:3
    #3 0x7219e3bebca1 in _g_closure_invoke_va /usr/src/debug/glib2/build/../glib/gobject/gclosure.c:896:7
    #4 0x7219e3bebca1 in signal_emit_valist_unlocked /usr/src/debug/glib2/build/../glib/gobject/gsignal.c:3423:8
    #5 0x7219e3bebdb1 in g_signal_emit_valist /usr/src/debug/glib2/build/../glib/gobject/gsignal.c:3262:7
    #6 0x7219e3bebe73 in g_signal_emit /usr/src/debug/glib2/build/../glib/gobject/gsignal.c:3582:3
    #7 0x7219e3bebca1 in _g_closure_invoke_va /usr/src/debug/glib2/build/../glib/gobject/gclosure.c:896:7
    #8 0x7219e3bebca1 in signal_emit_valist_unlocked /usr/src/debug/glib2/build/../glib/gobject/gsignal.c:3423:8
    #9 0x7219e3bebdb1 in g_signal_emit_valist /usr/src/debug/glib2/build/../glib/gobject/gsignal.c:3262:7
    #10 0x7219e3bebe73 in g_signal_emit /usr/src/debug/glib2/build/../glib/gobject/gsignal.c:3582:3
    #11 0x7219e4865768 in gtk_button_do_release gtk/gtkbutton.c:1845:9
    #12 0x7219e4865768 in gtk_real_button_released gtk/gtkbutton.c:1963:3
[...snip...]

0x5140000db770 is located 304 bytes inside of 424-byte region [0x5140000db640,0x5140000db7e8)
freed by thread T0 here:
    #0 0x5b555e254972 in free.part.0 (/usr/asan/bin/thunar+0x497972) (BuildId: 2a9d7f6a761e63fd)
    #1 0x7219e3bf0622 in g_type_free_instance /usr/src/debug/glib2/build/../glib/gobject/gtype.c:2030:5
    #2 0x7219e3bda1ed in g_object_unref /usr/src/debug/glib2/build/../glib/gobject/gobject.c:4502:3
    #3 0x5b555e5446d9 in thunar_renamer_progress_run thunar/thunar/thunar-renamer-progress.c:487:3
    #4 0x5b555e526d07 in thunar_renamer_dialog_response thunar/thunar/thunar-renamer-dialog.c:821:7
    #5 0x7219e3bc8e8c in g_cclosure_marshal_VOID__INTv /usr/src/debug/glib2/build/../glib/gobject/gmarshal.c:596:3
    #6 0x7219e3bebca1 in _g_closure_invoke_va /usr/src/debug/glib2/build/../glib/gobject/gclosure.c:896:7
    #7 0x7219e3bebca1 in signal_emit_valist_unlocked /usr/src/debug/glib2/build/../glib/gobject/gsignal.c:3423:8
    #8 0x7219e3bebdb1 in g_signal_emit_valist /usr/src/debug/glib2/build/../glib/gobject/gsignal.c:3262:7
    #9 0x7219e3bebe73 in g_signal_emit /usr/src/debug/glib2/build/../glib/gobject/gsignal.c:3582:3
    #10 0x7219e3bebca1 in _g_closure_invoke_va /usr/src/debug/glib2/build/../glib/gobject/gclosure.c:896:7
    #11 0x7219e3bebca1 in signal_emit_valist_unlocked /usr/src/debug/glib2/build/../glib/gobject/gsignal.c:3423:8
    #12 0x7219e3bebdb1 in g_signal_emit_valist /usr/src/debug/glib2/build/../glib/gobject/gsignal.c:3262:7
    #13 0x7219e3bebe73 in g_signal_emit /usr/src/debug/glib2/build/../glib/gobject/gsignal.c:3582:3
    #14 0x7219e4865768 in gtk_button_do_release gtk/gtkbutton.c:1845:9
    #15 0x7219e4865768 in gtk_real_button_released gtk/gtkbutton.c:1963:3
[...snip...]

previously allocated by thread T0 here:
    #0 0x5b555e255c59 in calloc (/usr/asan/bin/thunar+0x498c59) (BuildId: 2a9d7f6a761e63fd)
    #1 0x7219e3c7bd62 in g_malloc0 /usr/src/debug/glib2/build/../glib/glib/gmem.c:133:13
    #2 0x7219e3bf78f5 in g_type_create_instance /usr/src/debug/glib2/build/../glib/gobject/gtype.c:1933:17
    #3 0x7219e3bdc804 in g_object_new_internal /usr/src/debug/glib2/build/../glib/gobject/gobject.c:2606:24
    #4 0x7219e3bdde7e in g_object_new_internal /usr/src/debug/glib2/build/../glib/gobject/gobject.c:2603:6
    #5 0x7219e3bdde7e in g_object_new_with_properties /usr/src/debug/glib2/build/../glib/gobject/gobject.c:2769:14
    #6 0x7219e3bdeed1 in g_object_new /usr/src/debug/glib2/build/../glib/gobject/gobject.c:2415:12
    #7 0x5b555e54308e in thunar_renamer_progress_new thunar/thunar/thunar-renamer-progress.c:312:10
    #8 0x5b555e5210ec in thunar_renamer_dialog_init thunar/thunar/thunar-renamer-dialog.c:486:30
    #9 0x7219e3bf7988 in g_type_create_instance /usr/src/debug/glib2/build/../glib/gobject/gtype.c:1951:5
    #10 0x7219e3bdc804 in g_object_new_internal /usr/src/debug/glib2/build/../glib/gobject/gobject.c:2606:24
    #11 0x7219e3bdeafa in g_object_new_internal /usr/src/debug/glib2/build/../glib/gobject/gobject.c:2923:29
    #12 0x7219e3bdeafa in g_object_new_valist /usr/src/debug/glib2/build/../glib/gobject/gobject.c:2945:16
    #13 0x7219e3bdeeaf in g_object_new /usr/src/debug/glib2/build/../glib/gobject/gobject.c:2418:12
    #14 0x5b555e51e2d3 in thunar_show_renamer_dialog thunar/thunar/thunar-renamer-dialog.c:1870:12
    #15 0x5b555e3127ff in thunar_action_manager_action_rename thunar/thunar/thunar-action-manager.c:2507:7
[...snip...]