From 2759aaea7183e124d3a90564e6a48d3dd1a4142a Mon Sep 17 00:00:00 2001 From: Milan Crha Date: Tue, 11 Feb 2014 12:42:51 +0100 Subject: e_table_sort_info_duplicate: Missing ref of a 'column_spec' member Both 'groupings' and 'sortings' arrays unref the 'column_spec' on removal, but the 'duplicate' function didn't ref them, which caused use-after-free at the end of the application. --- e-util/e-table-sort-info.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) (limited to 'e-util') diff --git a/e-util/e-table-sort-info.c b/e-util/e-table-sort-info.c index a227c0eb16..815897b11d 100644 --- a/e-util/e-table-sort-info.c +++ b/e-util/e-table-sort-info.c @@ -867,6 +867,7 @@ e_table_sort_info_duplicate (ETableSortInfo *sort_info) { ETableSpecification *specification; ETableSortInfo *new_info; + gint ii; g_return_val_if_fail (E_IS_TABLE_SORT_INFO (sort_info), NULL); @@ -883,6 +884,14 @@ e_table_sort_info_duplicate (ETableSortInfo *sort_info) sort_info->priv->groupings->len * g_array_get_element_size (sort_info->priv->groupings)); + for (ii = 0; ii < new_info->priv->groupings->len; ii++) { + ColumnData *column_data; + + column_data = &g_array_index (new_info->priv->groupings, ColumnData, ii); + + g_object_ref (column_data->column_spec); + } + g_array_set_size ( new_info->priv->sortings, sort_info->priv->sortings->len); @@ -892,6 +901,14 @@ e_table_sort_info_duplicate (ETableSortInfo *sort_info) sort_info->priv->sortings->len * g_array_get_element_size (sort_info->priv->sortings)); + for (ii = 0; ii < new_info->priv->sortings->len; ii++) { + ColumnData *column_data; + + column_data = &g_array_index (new_info->priv->sortings, ColumnData, ii); + + g_object_ref (column_data->column_spec); + } + new_info->priv->can_group = sort_info->priv->can_group; return new_info; -- cgit v1.2.3