[Xfce4-commits] <xfconf:xfce-4.8> Fix double free crash (bug #8169).
Nick Schermer
noreply at xfce.org
Tue Dec 20 11:00:04 CET 2011
Updating branch refs/heads/xfce-4.8
to 2a4673e1dae7d766d095582b47aa2b1c31e3de71 (commit)
from dbf5d4eda87437b7492aa9fcbbe8421e9e8e9ac1 (commit)
commit 2a4673e1dae7d766d095582b47aa2b1c31e3de71
Author: Olivier Fourdan <fourdan at xfce.org>
Date: Tue Dec 20 10:57:27 2011 +0100
Fix double free crash (bug #8169).
In xfconf_cache_set_property_reply_handler() if the item is not found in
cache->properties, the function exit (goto out;) without removing the
old_property from cache->old_properties nor the call from cache->pending_calls.
Then when xfconf_cache_set() is called, the old_item is still found in the hash
(as it wasn't removed previously) and therefore dbus_g_proxy_cancel_call() is
called in a call which was completed, thus leading to the double-free and the
crash.
(cherry picked from commit cdcbb6a3a68e9645f6b286d8cb0c420e378261c1)
xfconf/xfconf-cache.c | 8 ++++----
1 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/xfconf/xfconf-cache.c b/xfconf/xfconf-cache.c
index 432982b..87ae43a 100644
--- a/xfconf/xfconf-cache.c
+++ b/xfconf/xfconf-cache.c
@@ -510,6 +510,10 @@ xfconf_cache_set_property_reply_handler(DBusGProxy *proxy,
goto out;
}
+ g_hash_table_remove(cache->old_properties, old_item->property);
+ /* don't destroy old_item yet */
+ g_hash_table_steal(cache->pending_calls, old_item->call);
+
item = g_tree_lookup(cache->properties, old_item->property);
if(G_UNLIKELY(!item)) {
#ifndef NDEBUG
@@ -518,10 +522,6 @@ xfconf_cache_set_property_reply_handler(DBusGProxy *proxy,
goto out;
}
- g_hash_table_remove(cache->old_properties, old_item->property);
- /* don't destroy old_item yet */
- g_hash_table_steal(cache->pending_calls, old_item->call);
-
if(!dbus_g_proxy_end_call(proxy, call, &error, G_TYPE_INVALID)) {
/* failed to set the value. reset it to the old value and send
* a prop changed signal to the channel */
More information about the Xfce4-commits
mailing list