Mercurial > pidgin.yaz

diff libpurple/protocols/msn/msn.c @ 30174:b0bc67f42027

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Fix a possible use-after-free. If the user initiated a file transfer while a display pic transfer was in progress, and that transfer finished before the user selected a file, then the MsnSlpLink to that user could be used after it's freed. Also, if there were a conversation open to that user, then the slplink would not be freed, so the FT must be started from the buddy list. Fixes #6453.
author Elliott Sales de Andrade <qulogic@pidgin.im>
date Tue, 20 Apr 2010 00:05:34 +0000
parents 29df7408df03
children 06fa97f637a7 2a436e0ce977 7a26ff6c0044
line wrap: on
line diff
--- a/libpurple/protocols/msn/msn.c	Mon Apr 19 23:55:03 2010 +0000
+++ b/libpurple/protocols/msn/msn.c	Tue Apr 20 00:05:34 2010 +0000
@@ -589,6 +589,14 @@
 {
 	MsnSlpLink *slplink = xfer->data;
 	msn_slplink_request_ft(slplink, xfer);
+	msn_slplink_unref(slplink);
+}
+
+static void
+t_msn_xfer_cancel_send(PurpleXfer *xfer)
+{
+	MsnSlpLink *slplink = xfer->data;
+	msn_slplink_unref(slplink);
 }
 
 static PurpleXfer*
@@ -603,9 +611,10 @@
 
 	g_return_val_if_fail(xfer != NULL, NULL);
 
-	xfer->data = msn_session_get_slplink(session, who);
+	xfer->data = msn_slplink_ref(msn_session_get_slplink(session, who));
 
 	purple_xfer_set_init_fnc(xfer, t_msn_xfer_init);
+	purple_xfer_set_cancel_send_fnc(xfer, t_msn_xfer_cancel_send);
 
 	return xfer;
 }