[Xfce4-commits] <xfconf:master> Fix double free crash (bug #8169).
Nick Schermer
noreply at xfce.org
Tue Dec 20 11:00:01 CET 2011
Updating branch refs/heads/master
to cdcbb6a3a68e9645f6b286d8cb0c420e378261c1 (commit)
from 73982b032145c35869a4143056d6f2fc31f11fc8 (commit)
commit cdcbb6a3a68e9645f6b286d8cb0c420e378261c1
Author: Olivier Fourdan <fourdan at xfce.org>
Date: Tue Dec 20 10:57:27 2011 +0100
Fix double free crash (bug #8169).
In xfconf_cache_set_property_reply_handler() if the item is not found in
cache->properties, the function exit (goto out;) without removing the
old_property from cache->old_properties nor the call from cache->pending_calls.
Then when xfconf_cache_set() is called, the old_item is still found in the hash
(as it wasn't removed previously) and therefore dbus_g_proxy_cancel_call() is
called in a call which was completed, thus leading to the double-free and the
crash.
xfconf/xfconf-cache.c | 8 ++++----
1 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/xfconf/xfconf-cache.c b/xfconf/xfconf-cache.c
index 06c1b56..bb6d889 100644
--- a/xfconf/xfconf-cache.c
+++ b/xfconf/xfconf-cache.c
@@ -511,6 +511,10 @@ xfconf_cache_set_property_reply_handler(DBusGProxy *proxy,
goto out;
}
+ g_hash_table_remove(cache->old_properties, old_item->property);
+ /* don't destroy old_item yet */
+ g_hash_table_steal(cache->pending_calls, old_item->call);
+
item = g_tree_lookup(cache->properties, old_item->property);
if(G_UNLIKELY(!item)) {
#ifndef NDEBUG
@@ -519,10 +523,6 @@ xfconf_cache_set_property_reply_handler(DBusGProxy *proxy,
goto out;
}
- g_hash_table_remove(cache->old_properties, old_item->property);
- /* don't destroy old_item yet */
- g_hash_table_steal(cache->pending_calls, old_item->call);
-
if(!dbus_g_proxy_end_call(proxy, call, &error, G_TYPE_INVALID)) {
/* failed to set the value. reset it to the old value and send
* a prop changed signal to the channel */
More information about the Xfce4-commits
mailing list