aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGuillaume Desmottes <guillaume.desmottes@collabora.co.uk>2010-02-16 19:53:41 +0800
committerGuillaume Desmottes <guillaume.desmottes@collabora.co.uk>2010-02-16 19:53:41 +0800
commit4219fa9dd2a048563bd6684a0bfba08dd1629759 (patch)
tree0e93531ae5641af93f081e0848ecf6ed461bc605
parent926bd94a134044ed2416537f02e55d7e4ef6cb1e (diff)
downloadgsoc2013-empathy-4219fa9dd2a048563bd6684a0bfba08dd1629759.tar.gz
gsoc2013-empathy-4219fa9dd2a048563bd6684a0bfba08dd1629759.tar.zst
gsoc2013-empathy-4219fa9dd2a048563bd6684a0bfba08dd1629759.zip
dispatcher_connection_new_requested_channel: fix a use-after-free crash
If an error occurs when requesting the channel, we call dispatcher_request_failed which as the side effect of destroying the DispatcherRequestData. When calling dispatcher_flush_outstanding_operations we used to deference this pointer. Fixes this crash by using the "self" pointer instead and reffing it to be sure it stays valid.
-rw-r--r--libempathy/empathy-dispatcher.c10
1 files changed, 8 insertions, 2 deletions
diff --git a/libempathy/empathy-dispatcher.c b/libempathy/empathy-dispatcher.c
index 201e48409..70f97f974 100644
--- a/libempathy/empathy-dispatcher.c
+++ b/libempathy/empathy-dispatcher.c
@@ -1316,6 +1316,12 @@ dispatcher_connection_new_requested_channel (EmpathyDispatcher *self,
EmpathyDispatchOperation *operation = NULL;
ConnectionData *conn_data;
+ /* The DispatcherRequestData owns a ref on the self object. As the request
+ * data could be destroyed (when calling dispatcher_request_failed for
+ * example) we keep a ref on self to be sure it stays alive while we are
+ * executing this function. */
+ g_object_ref (self);
+
conn_data = g_hash_table_lookup (priv->connections,
request_data->connection);
@@ -1398,8 +1404,8 @@ dispatcher_connection_new_requested_channel (EmpathyDispatcher *self,
g_object_unref (operation);
out:
- dispatcher_flush_outstanding_operations (request_data->dispatcher,
- conn_data);
+ dispatcher_flush_outstanding_operations (self, conn_data);
+ g_object_unref (self);
}
static void