From aba2cfe7a8d5c1658fe8df0095a089cc73db43ab Mon Sep 17 00:00:00 2001
From: Vaxry <43317083+vaxerski@users.noreply.github.com>
Date: Mon, 16 Jun 2025 17:02:08 +0200
Subject: [PATCH] asyncDialogBox: lock box in fdWrite to prevent a uaf (#10759)

---
 src/helpers/AsyncDialogBox.cpp | 9 ++++++++-
 src/helpers/AsyncDialogBox.hpp | 2 ++
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/src/helpers/AsyncDialogBox.cpp b/src/helpers/AsyncDialogBox.cpp
index 697d61ba8..4ee5ccca6 100644
--- a/src/helpers/AsyncDialogBox.cpp
+++ b/src/helpers/AsyncDialogBox.cpp
@@ -46,6 +46,9 @@ CAsyncDialogBox::CAsyncDialogBox(const std::string& title, const std::string& de
 static int onFdWrite(int fd, uint32_t mask, void* data) {
     auto box = (CAsyncDialogBox*)data;
 
+    // lock the box to prevent a UAF
+    auto lock = box->lockSelf();
+
     box->onWrite(fd, mask);
 
     return 0;
@@ -142,4 +145,8 @@ void CAsyncDialogBox::kill() {
 
 bool CAsyncDialogBox::isRunning() const {
     return m_readEventSource;
-}
\ No newline at end of file
+}
+
+SP<CAsyncDialogBox> CAsyncDialogBox::lockSelf() {
+    return m_selfWeakReference.lock();
+}
diff --git a/src/helpers/AsyncDialogBox.hpp b/src/helpers/AsyncDialogBox.hpp
index 0ee0144e1..5f94be0da 100644
--- a/src/helpers/AsyncDialogBox.hpp
+++ b/src/helpers/AsyncDialogBox.hpp
@@ -27,6 +27,8 @@ class CAsyncDialogBox {
     void                      kill();
     bool                      isRunning() const;
 
+    SP<CAsyncDialogBox>       lockSelf();
+
     // focus priority, only permission popups
     bool m_priority = false;