Updating branch refs/heads/xfce-4.8 to 2a4673e1dae7d766d095582b47aa2b1c31e3de71 (commit) from dbf5d4eda87437b7492aa9fcbbe8421e9e8e9ac1 (commit)
commit 2a4673e1dae7d766d095582b47aa2b1c31e3de71 Author: Olivier Fourdan <four...@xfce.org> Date: Tue Dec 20 10:57:27 2011 +0100 Fix double free crash (bug #8169). In xfconf_cache_set_property_reply_handler() if the item is not found in cache->properties, the function exit (goto out;) without removing the old_property from cache->old_properties nor the call from cache->pending_calls. Then when xfconf_cache_set() is called, the old_item is still found in the hash (as it wasn't removed previously) and therefore dbus_g_proxy_cancel_call() is called in a call which was completed, thus leading to the double-free and the crash. (cherry picked from commit cdcbb6a3a68e9645f6b286d8cb0c420e378261c1) xfconf/xfconf-cache.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) diff --git a/xfconf/xfconf-cache.c b/xfconf/xfconf-cache.c index 432982b..87ae43a 100644 --- a/xfconf/xfconf-cache.c +++ b/xfconf/xfconf-cache.c @@ -510,6 +510,10 @@ xfconf_cache_set_property_reply_handler(DBusGProxy *proxy, goto out; } + g_hash_table_remove(cache->old_properties, old_item->property); + /* don't destroy old_item yet */ + g_hash_table_steal(cache->pending_calls, old_item->call); + item = g_tree_lookup(cache->properties, old_item->property); if(G_UNLIKELY(!item)) { #ifndef NDEBUG @@ -518,10 +522,6 @@ xfconf_cache_set_property_reply_handler(DBusGProxy *proxy, goto out; } - g_hash_table_remove(cache->old_properties, old_item->property); - /* don't destroy old_item yet */ - g_hash_table_steal(cache->pending_calls, old_item->call); - if(!dbus_g_proxy_end_call(proxy, call, &error, G_TYPE_INVALID)) { /* failed to set the value. reset it to the old value and send * a prop changed signal to the channel */ _______________________________________________ Xfce4-commits mailing list Xfce4-commits@xfce.org https://mail.xfce.org/mailman/listinfo/xfce4-commits