Bug#968606: CVE assignment request for NULL-dereference segfault

Wed Aug 19 11:12:28 BST 2020

Hello Max, hello Simon,
after some sleep I thought why this next variable gets assigned
that soon ... so I tested following patch, which just moves the
assignment to below the process call, and I could not reproduce
the crash in some guake restarts.

If this is enough, or if the garbage collector might attempt to
destroy the that too at some point I cannot say.

Kind regards,
Bernhard

--- vte2.91-0.60.3.orig/src/vte.cc
+++ vte2.91-0.60.3/src/vte.cc
@@ -10509,14 +10509,14 @@ update_repeat_timeout (gpointer data)
 	for (l = g_active_terminals; l != NULL; l = next) {
 		auto that = reinterpret_cast<vte::terminal::Terminal*>(l->data);
 
-                next = l->next;
-
 		if (l != g_active_terminals) {
 			_vte_debug_print (VTE_DEBUG_WORK, "T");
 		}
 
                 that->process(true);
 
+                next = l->next;
+
 		again = that->invalidate_dirty_rects_and_process_updates();
 		if (!again) {
                         remove_from_active_list(that);

