pidgin.yaz: libpurple/protocols/msn/msn.c comparison

comparison libpurple/protocols/msn/msn.c @ 30174:b0bc67f42027

Fix a possible use-after-free. If the user initiated a file transfer while a display pic transfer was in progress, and that transfer finished before the user selected a file, then the MsnSlpLink to that user could be used after it's freed. Also, if there were a conversation open to that user, then the slplink would not be freed, so the FT must be started from the buddy list. Fixes #6453.

author	Elliott Sales de Andrade <qulogic@pidgin.im>
date	Tue, 20 Apr 2010 00:05:34 +0000
parents	29df7408df03
children	06fa97f637a7 2a436e0ce977 7a26ff6c0044

comparison

equal deleted inserted replaced

-:4ebecacf2fbb
+:b0bc67f42027
 static void
 t_msn_xfer_init(PurpleXfer *xfer)
 {
 	MsnSlpLink *slplink = xfer->data;
 	msn_slplink_request_ft(slplink, xfer);
+	msn_slplink_unref(slplink);
+}
+static void
+t_msn_xfer_cancel_send(PurpleXfer *xfer)
+{
+	MsnSlpLink *slplink = xfer->data;
+	msn_slplink_unref(slplink);
 }
 static PurpleXfer*
 msn_new_xfer(PurpleConnection *gc, const char *who)
 {
 	xfer = purple_xfer_new(gc->account, PURPLE_XFER_SEND, who);
 	g_return_val_if_fail(xfer != NULL, NULL);
-	xfer->data = msn_session_get_slplink(session, who);
+	xfer->data = msn_slplink_ref(msn_session_get_slplink(session, who));
 	purple_xfer_set_init_fnc(xfer, t_msn_xfer_init);
+	purple_xfer_set_cancel_send_fnc(xfer, t_msn_xfer_cancel_send);
 	return xfer;
 }
 static void

Mercurial > pidgin.yaz

comparison libpurple/protocols/msn/msn.c @ 30174:b0bc67f42027