From 39d5dd89c5621244351b9cd831a841f95bebfff8 Mon Sep 17 00:00:00 2001
From: Matthias Clasen <mclasen@redhat.com>
Date: Fri, 22 Jan 2021 11:37:20 -0500
Subject: [PATCH] Avoid a heap-use-after-free

_gtk_gesture_cancel_sequence frees the struct pointed to by data,
so don't write to it afterwards. Found by asan.
---
 gtk/gtkgesture.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/gtk/gtkgesture.c b/gtk/gtkgesture.c
index 802309c43d..130c4265cf 100644
--- a/gtk/gtkgesture.c
+++ b/gtk/gtkgesture.c
@@ -991,6 +991,7 @@ gtk_gesture_set_sequence_state (GtkGesture            *gesture,
 {
   GtkGesturePrivate *priv;
   PointData *data;
+  GtkEventSequenceState current_state;
 
   g_return_val_if_fail (GTK_IS_GESTURE (gesture), FALSE);
   g_return_val_if_fail (state >= GTK_EVENT_SEQUENCE_NONE &&
@@ -1014,11 +1015,13 @@ gtk_gesture_set_sequence_state (GtkGesture            *gesture,
       data->state != GTK_EVENT_SEQUENCE_NONE)
     return FALSE;
 
+  current_state = data->state;
+  data->state = state;
+
   if (state == GTK_EVENT_SEQUENCE_DENIED &&
-      data->state == GTK_EVENT_SEQUENCE_CLAIMED)
+      current_state == GTK_EVENT_SEQUENCE_CLAIMED)
     _gtk_gesture_cancel_sequence (gesture, sequence);
 
-  data->state = state;
   gtk_widget_cancel_event_sequence (gtk_event_controller_get_widget (GTK_EVENT_CONTROLLER (gesture)),
                                     gesture, sequence, state);
   g_signal_emit (gesture, signals[SEQUENCE_STATE_CHANGED], 0,