pidgin: libpurple/upnp.c comparison

comparison libpurple/upnp.c @ 30131:d60313011111

Fix a read-after-free from valgrind: Invalid read of size 8 at 0x9BD2816: purple_upnp_cancel_port_mapping (upnp.c:931) by 0x9BAEF41: purple_network_listen_cancel (network.c:585) by 0x1A49D7FD: msn_dc_destroy (directconn.c:204) Address 0x19c3c748 is 8 bytes inside a block of size 16 free'd at 0x4C239BF: free (vg_replace_malloc.c:325) by 0xBC1EB97: g_slist_delete_link (gslist.c:446) by 0x9BD2815: purple_upnp_cancel_port_mapping (upnp.c:928) by 0x9BAEF41: purple_network_listen_cancel (network.c:585) by 0x1A49D7FD: msn_dc_destroy (directconn.c:204)

author	Elliott Sales de Andrade <qulogic@pidgin.im>
date	Sat, 29 May 2010 22:52:14 +0000
parents	74776878c055
children	db7ffb0120d7

comparison

equal deleted inserted replaced

-:74776878c055
+:d60313011111
 	GSList *l;
 	/* Remove ar from discovery_callbacks if present; it was inserted after a cb.
 	 * The same cb may be in the list multiple times, so be careful to remove
 	 * the one associated with ar. */
-	l  = discovery_callbacks;
+	l = discovery_callbacks;
 	while (l)
 	{
-		if (l->next && (l->next->data == ar)) {
+		GSList *next = l->next;
-			discovery_callbacks = g_slist_delete_link(discovery_callbacks, l->next);
+		if (next && (next->data == ar)) {
+			discovery_callbacks = g_slist_delete_link(discovery_callbacks, next);
+			next = l->next;
 			discovery_callbacks = g_slist_delete_link(discovery_callbacks, l);
 		}
-		l = l->next;
+		l = next;
 	}
 	if (ar->tima > 0)
 		purple_timeout_remove(ar->tima);

Mercurial > pidgin

comparison libpurple/upnp.c @ 30131:d60313011111