From 4219fa9dd2a048563bd6684a0bfba08dd1629759 Mon Sep 17 00:00:00 2001 From: Guillaume Desmottes Date: Tue, 16 Feb 2010 11:53:41 +0000 Subject: dispatcher_connection_new_requested_channel: fix a use-after-free crash If an error occurs when requesting the channel, we call dispatcher_request_failed which as the side effect of destroying the DispatcherRequestData. When calling dispatcher_flush_outstanding_operations we used to deference this pointer. Fixes this crash by using the "self" pointer instead and reffing it to be sure it stays valid. --- libempathy/empathy-dispatcher.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) (limited to 'libempathy/empathy-dispatcher.c') diff --git a/libempathy/empathy-dispatcher.c b/libempathy/empathy-dispatcher.c index 201e48409..70f97f974 100644 --- a/libempathy/empathy-dispatcher.c +++ b/libempathy/empathy-dispatcher.c @@ -1316,6 +1316,12 @@ dispatcher_connection_new_requested_channel (EmpathyDispatcher *self, EmpathyDispatchOperation *operation = NULL; ConnectionData *conn_data; + /* The DispatcherRequestData owns a ref on the self object. As the request + * data could be destroyed (when calling dispatcher_request_failed for + * example) we keep a ref on self to be sure it stays alive while we are + * executing this function. */ + g_object_ref (self); + conn_data = g_hash_table_lookup (priv->connections, request_data->connection); @@ -1398,8 +1404,8 @@ dispatcher_connection_new_requested_channel (EmpathyDispatcher *self, g_object_unref (operation); out: - dispatcher_flush_outstanding_operations (request_data->dispatcher, - conn_data); + dispatcher_flush_outstanding_operations (self, conn_data); + g_object_unref (self); } static void -- cgit v1.2.3