[Pidgin] #7604: Calling a callback synchronously from the request_authorize uiop crashes libpurple
Pidgin
trac at pidgin.im
Fri Nov 21 19:27:02 EST 2008
#7604: Calling a callback synchronously from the request_authorize uiop crashes
libpurple
-------------------+--------------------------------------------------------
Reporter: fqueze | Type: patch
Status: new | Component: libpurple
Version: 2.5.2 | Keywords:
-------------------+--------------------------------------------------------
Why it crashes:
request_auth_cb and request_deny_cb both call g_free on the parameter that
they receive, so if the function implementing the request_authorize uiops
calls one of them synchronously, this line writes in already freed memory:
info->ui_handle = ui_ops->request_authorize(...
What the patch does:
We should write the result only if the ui_handle is not NULL. If the
ui_handle is NULL, the function implementing the uiop is very likely to
have already called one of the callbacks.
Additionally, if we don't want to leak, the g_list_append call needs to be
before the uiop call, otherwise g_list_remove (called inside the callback)
won't free anything.
info->ui_handle needs to be initialized to NULL before appending the
element to the list, otherwise if purple_account_request_close is called
before the uiop returns, it will read in uninitialized memory and may
crash.
--
Ticket URL: <http://developer.pidgin.im/ticket/7604>
Pidgin <http://pidgin.im>
Pidgin
More information about the Tracker
mailing list