From e04c8351a29a5b9e5873bea0e0bd57cf9abfcdb2 Mon Sep 17 00:00:00 2001
From: Nick Gasson <nick@nickg.me.uk>
Date: Mon, 3 Feb 2020 17:33:26 +0800
Subject: [PATCH] Fix use-after-free in daemon mode

---
 src/display_cow.c | 20 +++++++++++---------
 src/display_cow.h |  2 +-
 src/xcowsayd.c    |  2 +-
 3 files changed, 13 insertions(+), 11 deletions(-)

diff --git a/src/display_cow.c b/src/display_cow.c
index 28e322e..22b9383 100644
--- a/src/display_cow.c
+++ b/src/display_cow.c
@@ -222,6 +222,9 @@ static void normal_setup(const char *text, bool debug, cowmode_t mode)
    const int cow_width = shape_width(xcowsay.cow);
    const int max_width = xcowsay.screen_width - cow_width;
 
+   if (xcowsay.bubble_pixbuf != NULL)
+      g_object_unref(xcowsay.bubble_pixbuf);
+
    xcowsay.bubble_pixbuf = make_text_bubble(
       text_copy, &xcowsay.bubble_width, &xcowsay.bubble_height,
       max_width, mode);
@@ -236,11 +239,14 @@ static void dream_setup(const char *file, bool debug)
    if (xcowsay.display_time < 0)
       xcowsay.display_time = get_int_option("dream_time");
 
+   if (xcowsay.bubble_pixbuf != NULL)
+      g_object_unref(xcowsay.bubble_pixbuf);
+
    xcowsay.bubble_pixbuf = make_dream_bubble(file, &xcowsay.bubble_width,
                                              &xcowsay.bubble_height);
 }
 
-void display_cow(bool debug, const char *text, bool run_main, cowmode_t mode)
+void display_cow(bool debug, const char *text, cowmode_t mode)
 {
    GdkScreen *screen = gdk_screen_get_default();
 
@@ -335,12 +341,6 @@ void display_cow(bool debug, const char *text, bool run_main, cowmode_t mode)
    g_timeout_add(TICK_TIMEOUT, tick, NULL);
 
    close_when_clicked(xcowsay.cow);
-
-   if (run_main)
-      gtk_main();
-
-   g_object_unref(xcowsay.bubble_pixbuf);
-   xcowsay.bubble_pixbuf = NULL;
 }
 
 #ifndef WITH_DBUS
@@ -402,6 +402,8 @@ bool try_dbus(bool debug, const char *text, cowmode_t mode)
 
 void display_cow_or_invoke_daemon(bool debug, const char *text, cowmode_t mode)
 {
-   if (!try_dbus(debug, text, mode))
-      display_cow(debug, text, true, mode);
+   if (!try_dbus(debug, text, mode)) {
+      display_cow(debug, text, mode);
+      gtk_main();
+   }
 }
diff --git a/src/display_cow.h b/src/display_cow.h
index 092f683..b64f98e 100644
--- a/src/display_cow.h
+++ b/src/display_cow.h
@@ -34,7 +34,7 @@ typedef enum {
 } cowmode_t;
 
 // Show a cow with the given string and clean up afterwards
-void display_cow(bool debug, const char *text, bool run_main, cowmode_t mode);
+void display_cow(bool debug, const char *text, cowmode_t mode);
 void display_cow_or_invoke_daemon(bool debug, const char *text, cowmode_t mode);
 void cowsay_init(int *argc, char ***argv);
 
diff --git a/src/xcowsayd.c b/src/xcowsayd.c
index 645f0ba..1bb683e 100644
--- a/src/xcowsayd.c
+++ b/src/xcowsayd.c
@@ -140,7 +140,7 @@ static gpointer cow_display_thread(gpointer data)
       // GTK assumes it is being called from the main thread
       // (and it isn't here)
       gdk_threads_enter();
-      display_cow(debug, mess, false, mode);
+      display_cow(debug, mess, mode);
       gdk_threads_leave();
 
       g_cond_wait(display_complete, display_lock);
-- 
2.39.2