From 27fdd41e4aa8ae1c5e6a4be92a273381fac0c594 Mon Sep 17 00:00:00 2001
From: Lionel Landwerlin <llandwerlin@gmail.com>
Date: Tue, 15 Oct 2013 18:23:46 +0100
Subject: [PATCH] gesture-action: fix memory corruption

abcf1d589f29ba7914d5648bb9814ad26c13cd83 introduced a crasher because
the 'point' variable points to a piece of memory that is being
reallocated by the begin_gesture (by a g_array_set_size) call 5 lines
before.

https://bugzilla.gnome.org/show_bug.cgi?id=710227
---
 clutter/clutter-gesture-action.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/clutter/clutter-gesture-action.c b/clutter/clutter-gesture-action.c
index 2846227..975c5a4 100644
--- a/clutter/clutter-gesture-action.c
+++ b/clutter/clutter-gesture-action.c
@@ -359,65 +359,69 @@ stage_captured_event_cb (ClutterActor       *stage,
         /* we might miss a button-release event in case of grabs,
          * so we need to check whether the button is still down
          * during a motion event
          */
         if (!(mods & CLUTTER_BUTTON1_MASK))
           {
             cancel_gesture (action);
             return CLUTTER_EVENT_PROPAGATE;
           }
       }
       /* Follow same code path as a touch event update */
 
     case CLUTTER_TOUCH_UPDATE:
       if (!priv->in_gesture)
         {
           if (priv->points->len < priv->requested_nb_points)
             {
               gesture_update_motion_point (point, event);
               return CLUTTER_EVENT_PROPAGATE;
             }
 
           /* Wait until the drag threshold has been exceeded
            * before starting _TRIGGER_EDGE_AFTER gestures. */
           if (priv->edge == CLUTTER_GESTURE_TRIGGER_EDGE_AFTER &&
               gesture_point_pass_threshold (point, event))
             {
               gesture_update_motion_point (point, event);
               return CLUTTER_EVENT_PROPAGATE;
             }
 
-          if (!begin_gesture(action, actor))
+          if (!begin_gesture (action, actor))
             {
-              gesture_update_motion_point (point, event);
+              if ((point = gesture_find_point (action, event, &position)) != NULL)
+                gesture_update_motion_point (point, event);
               return CLUTTER_EVENT_PROPAGATE;
             }
+
+          if ((point = gesture_find_point (action, event, &position)) == NULL)
+            return CLUTTER_EVENT_PROPAGATE;
         }
 
       gesture_update_motion_point (point, event);
 
       g_signal_emit (action, gesture_signals[GESTURE_PROGRESS], 0, actor,
                      &return_value);
       if (!return_value)
         {
           cancel_gesture (action);
           return CLUTTER_EVENT_PROPAGATE;
         }
 
       /* Check if a _TRIGGER_EDGE_BEFORE gesture needs to be cancelled because
        * the drag threshold has been exceeded. */
       drag_threshold = gesture_get_threshold ();
       if (priv->edge == CLUTTER_GESTURE_TRIGGER_EDGE_BEFORE &&
           ((fabsf (point->press_y - point->last_motion_y) > drag_threshold) ||
            (fabsf (point->press_x - point->last_motion_x) > drag_threshold)))
         {
           cancel_gesture (action);
           return CLUTTER_EVENT_PROPAGATE;
         }
       break;
 
     case CLUTTER_BUTTON_RELEASE:
     case CLUTTER_TOUCH_END:
       {
         gesture_update_release_point (point, event);
 
         if (priv->in_gesture &&
-- 
2.3.7