From 7288e9a23f643db8ab7c8d463494a1e051a2b853 Mon Sep 17 00:00:00 2001 From: smpl-os Date: Tue, 24 Mar 2026 22:53:25 -0700 Subject: [PATCH] libnemo-private: fix use-after-free crash in nemo_file_mark_gone nemo_directory_remove_file() calls nemo_file_unref() when the directory is monitoring its file list. If the caller holds no extra ref, this can drop the refcount to zero and free the NemoFile object. The nemo_file_clear_info() call immediately after then dereferences the freed pointer, causing a SIGSEGV. Fix: take a temporary ref before the if-block so the object stays alive through both nemo_directory_remove_file() and nemo_file_clear_info(), and release it only after both calls complete. Closes #3712 --- libnemo-private/nemo-file.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libnemo-private/nemo-file.c b/libnemo-private/nemo-file.c index 63ffcc2b2..72a8a6011 100644 --- a/libnemo-private/nemo-file.c +++ b/libnemo-private/nemo-file.c @@ -7947,11 +7947,18 @@ nemo_file_mark_gone (NemoFile *file) /* Let the directory know it's gone. */ directory = file->details->directory; + /* Hold a temporary ref so the object stays alive through both + * nemo_directory_remove_file() (which may drop the last directory ref + * and free the object) AND the nemo_file_clear_info() call below. + * Without this, remove_file can free the NemoFile and clear_info then + * dereferences the freed pointer, causing a SIGSEGV (bug #3712). */ + nemo_file_ref (file); if (!nemo_file_is_self_owned (file)) { nemo_directory_remove_file (directory, file); } nemo_file_clear_info (file); + nemo_file_unref (file); /* FIXME bugzilla.gnome.org 42429: * Maybe we can get rid of the name too eventually, but