Mercurial > pidgin

diff libpurple/protocols/msn/slplink.c @ 29762:b0bc67f42027

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Fix a possible use-after-free. If the user initiated a file transfer while a display pic transfer was in progress, and that transfer finished before the user selected a file, then the MsnSlpLink to that user could be used after it's freed. Also, if there were a conversation open to that user, then the slplink would not be freed, so the FT must be started from the buddy list. Fixes #6453.
author Elliott Sales de Andrade <qulogic@pidgin.im>
date Tue, 20 Apr 2010 00:05:34 +0000
parents a0adf0bb19b7
children 2ab17571bf42 31f20c9c7674 7a26ff6c0044
line wrap: on
line diff
--- a/libpurple/protocols/msn/slplink.c	Mon Apr 19 23:55:03 2010 +0000
+++ b/libpurple/protocols/msn/slplink.c	Tue Apr 20 00:05:34 2010 +0000
@@ -78,7 +78,7 @@
 	session->slplinks =
 		g_list_append(session->slplinks, slplink);
 
-	return slplink;
+	return msn_slplink_ref(slplink);
 }
 
 void
@@ -94,6 +94,11 @@
 	if (slplink->swboard != NULL)
 		slplink->swboard->slplinks = g_list_remove(slplink->swboard->slplinks, slplink);
 
+	if (slplink->refs > 1) {
+		slplink->refs--;
+		return;
+	}
+
 	session = slplink->session;
 
 #if 0
@@ -115,6 +120,31 @@
 }
 
 MsnSlpLink *
+msn_slplink_ref(MsnSlpLink *slplink)
+{
+	g_return_val_if_fail(slplink != NULL, NULL);
+
+	slplink->refs++;
+	if (purple_debug_is_verbose())
+		purple_debug_info("msn", "slplink ref (%p)[%d]\n", slplink, slplink->refs);
+
+	return slplink;
+}
+
+void
+msn_slplink_unref(MsnSlpLink *slplink)
+{
+	g_return_if_fail(slplink != NULL);
+
+	slplink->refs--;
+	if (purple_debug_is_verbose())
+		purple_debug_info("msn", "slplink unref (%p)[%d]\n", slplink, slplink->refs);
+
+	if (slplink->refs == 0)
+		msn_slplink_destroy(slplink);
+}
+
+MsnSlpLink *
 msn_session_find_slplink(MsnSession *session, const char *who)
 {
 	GList *l;