From 0fa2ae48d4aaf5737b4bbb8e59cf6f28ab99af8a Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@debian.org>
Date: Tue, 10 Sep 2024 00:11:18 +0100
Subject: [PATCH] gdkgltexture: Avoid use-after-free when switching
 GdkGLContext

`thread_current_context` might be holding the last reference to
`previous`, in which case `gdk_gl_context_make_current` on the new
context will free `previous`, leaving it a dangling pointer.
Avoid this by making sure to hold a reference.

Fixes: 41cd0c6f "gl: Fix initial EGL context creation on X11"
Resolves: https://gitlab.gnome.org/GNOME/gtk/-/issues/6995
Signed-off-by: Simon McVittie <smcv@debian.org>
---
 gdk/gdkgltexture.c | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/gdk/gdkgltexture.c b/gdk/gdkgltexture.c
index 6c90efa9d0..9cb5c94a20 100644
--- a/gdk/gdkgltexture.c
+++ b/gdk/gdkgltexture.c
@@ -101,6 +101,10 @@ gdk_gl_texture_invoke_callback (gpointer data)
   context = gdk_display_get_gl_context (gdk_gl_context_get_display (invoke->self->context));
 
   previous = gdk_gl_context_get_current ();
+
+  if (previous)
+    g_object_ref (previous);
+
   gdk_gl_context_make_current (context);
 
   if (invoke->self->sync && context != invoke->self->context)
@@ -113,9 +117,14 @@ gdk_gl_texture_invoke_callback (gpointer data)
   g_atomic_int_set (&invoke->spinlock, 1);
 
   if (previous)
-    gdk_gl_context_make_current (previous);
+    {
+      gdk_gl_context_make_current (previous);
+      g_object_unref (previous);
+    }
   else
-    gdk_gl_context_clear_current ();
+    {
+      gdk_gl_context_clear_current ();
+    }
 
   return FALSE;
 }