diff options
author | Guillaume Desmottes <guillaume.desmottes@collabora.co.uk> | 2010-02-16 19:53:41 +0800 |
---|---|---|
committer | Guillaume Desmottes <guillaume.desmottes@collabora.co.uk> | 2010-02-16 19:53:41 +0800 |
commit | 4219fa9dd2a048563bd6684a0bfba08dd1629759 (patch) | |
tree | 0e93531ae5641af93f081e0848ecf6ed461bc605 | |
parent | 926bd94a134044ed2416537f02e55d7e4ef6cb1e (diff) | |
download | gsoc2013-empathy-4219fa9dd2a048563bd6684a0bfba08dd1629759.tar.gz gsoc2013-empathy-4219fa9dd2a048563bd6684a0bfba08dd1629759.tar.zst gsoc2013-empathy-4219fa9dd2a048563bd6684a0bfba08dd1629759.zip |
dispatcher_connection_new_requested_channel: fix a use-after-free crash
If an error occurs when requesting the channel, we call
dispatcher_request_failed which as the side effect of destroying the
DispatcherRequestData. When calling dispatcher_flush_outstanding_operations
we used to deference this pointer.
Fixes this crash by using the "self" pointer instead and reffing it to be sure
it stays valid.
-rw-r--r-- | libempathy/empathy-dispatcher.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/libempathy/empathy-dispatcher.c b/libempathy/empathy-dispatcher.c index 201e48409..70f97f974 100644 --- a/libempathy/empathy-dispatcher.c +++ b/libempathy/empathy-dispatcher.c @@ -1316,6 +1316,12 @@ dispatcher_connection_new_requested_channel (EmpathyDispatcher *self, EmpathyDispatchOperation *operation = NULL; ConnectionData *conn_data; + /* The DispatcherRequestData owns a ref on the self object. As the request + * data could be destroyed (when calling dispatcher_request_failed for + * example) we keep a ref on self to be sure it stays alive while we are + * executing this function. */ + g_object_ref (self); + conn_data = g_hash_table_lookup (priv->connections, request_data->connection); @@ -1398,8 +1404,8 @@ dispatcher_connection_new_requested_channel (EmpathyDispatcher *self, g_object_unref (operation); out: - dispatcher_flush_outstanding_operations (request_data->dispatcher, - conn_data); + dispatcher_flush_outstanding_operations (self, conn_data); + g_object_unref (self); } static void |