From 5af7a36cf38c2846b7d03df0687684c628eb04a1 Mon Sep 17 00:00:00 2001 From: You name Date: Fri, 6 Mar 2026 02:09:18 -0800 Subject: [PATCH] libnemo-private: fix use-after-free crash in nemo_file_mark_gone nemo_directory_remove_file() calls nemo_file_unref() when the directory is monitoring its file list. If the caller holds no extra ref, this can drop the refcount to zero and free the NemoFile object in place. The subsequent nemo_file_clear_info() call then dereferences the freed pointer, causing a SIGSEGV. Reproduced during file rename: rename_get_info_callback finds an existing_file with the same new name and calls nemo_file_mark_gone on it with no extra ref held, triggering the crash. Fix by holding a temporary ref around nemo_directory_remove_file so the object remains valid until nemo_file_clear_info returns. Fixes #3712 --- libnemo-private/nemo-file.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libnemo-private/nemo-file.c b/libnemo-private/nemo-file.c index 63ffcc2b2..56bfebc4d 100644 --- a/libnemo-private/nemo-file.c +++ b/libnemo-private/nemo-file.c @@ -7948,7 +7948,13 @@ nemo_file_mark_gone (NemoFile *file) /* Let the directory know it's gone. */ directory = file->details->directory; if (!nemo_file_is_self_owned (file)) { + /* Hold a temporary ref across nemo_directory_remove_file: when the + * directory is monitoring its file list, remove_file calls + * nemo_file_unref() which can drop the refcount to zero and free + * the object before the nemo_file_clear_info() call below. */ + nemo_file_ref (file); nemo_directory_remove_file (directory, file); + nemo_file_unref (file); } nemo_file_clear_info (file);