pidgin: 07df4a7b: Add and remove an extra ref per MsnMessa...
qulogic at pidgin.im
qulogic at pidgin.im
Mon May 24 02:50:35 EDT 2010
-----------------------------------------------------------------
Revision: 07df4a7b7eb9d87771352ce30a405e0d5d8096df
Ancestor: a12c0e83e315f6ccc2e24fd4c56217414a9393e9
Author: qulogic at pidgin.im
Date: 2010-05-24T06:27:03
Branch: im.pidgin.pidgin
URL: http://d.pidgin.im/viewmtn/revision/info/07df4a7b7eb9d87771352ce30a405e0d5d8096df
Modified files:
libpurple/protocols/msn/slplink.c
libpurple/protocols/msn/slpmsg.c
ChangeLog:
Add and remove an extra ref per MsnMessage when saving it in a slpmsg, to
fix a possible use-after-free from valgrind. Also, don't traverse
slpmsg->msgs twice.
-------------- next part --------------
============================================================
--- libpurple/protocols/msn/slplink.c 1166e363870cf37a0c04253dd35d33bcad84b085
+++ libpurple/protocols/msn/slplink.c 340741ff99120f162c714d2b9661368002e4fa17
@@ -322,7 +322,7 @@ msn_slplink_send_msgpart(MsnSlpLink *slp
#endif
slpmsg->msgs =
- g_list_append(slpmsg->msgs, msg);
+ g_list_append(slpmsg->msgs, msn_message_ref(msg));
msn_slplink_send_msg(slplink, msg);
if ((slpmsg->flags == 0x20 || slpmsg->flags == 0x1000020 ||
@@ -381,6 +381,8 @@ msg_ack(MsnMessage *msg, void *data)
}
}
}
+
+ msn_message_unref(msg);
}
/* We have received the message nak. */
@@ -394,6 +396,7 @@ msg_nak(MsnMessage *msg, void *data)
msn_slplink_send_msgpart(slpmsg->slplink, slpmsg);
slpmsg->msgs = g_list_remove(slpmsg->msgs, msg);
+ msn_message_unref(msg);
}
static void
============================================================
--- libpurple/protocols/msn/slpmsg.c 361abd2d1b20e39d67ee7b1967d44573550bf551
+++ libpurple/protocols/msn/slpmsg.c 918ae21b3e5386ce0cb06eea47654b9741a96230
@@ -67,7 +67,7 @@ msn_slpmsg_destroy(MsnSlpMessage *slpmsg
if (slpmsg->img == NULL)
g_free(slpmsg->buffer);
- for (cur = slpmsg->msgs; cur != NULL; cur = cur->next)
+ for (cur = slpmsg->msgs; cur != NULL; cur = g_list_delete_link(cur, cur))
{
/* Something is pointing to this slpmsg, so we should remove that
* pointer to prevent a crash. */
@@ -78,8 +78,8 @@ msn_slpmsg_destroy(MsnSlpMessage *slpmsg
msg->ack_cb = NULL;
msg->nak_cb = NULL;
msg->ack_data = NULL;
+ msn_message_unref(msg);
}
- g_list_free(slpmsg->msgs);
slplink->slp_msgs = g_list_remove(slplink->slp_msgs, slpmsg);
More information about the Commits
mailing list