# HG changeset patch
# User Elliott Sales de Andrade <qulogic@pidgin.im>
# Date 1274682423 0
# Node ID 287fc4ac2bd90036f31439abe103b69200fc4a1c
# Parent  e432507151d1cce34471a7120658f486b205e197
Add and remove an extra ref per MsnMessage when saving it in a slpmsg, to
fix a possible use-after-free from valgrind. Also, don't traverse
slpmsg->msgs twice.

diff -r e432507151d1 -r 287fc4ac2bd9 libpurple/protocols/msn/slplink.c
--- a/libpurple/protocols/msn/slplink.c	Sun May 23 21:45:19 2010 +0000
+++ b/libpurple/protocols/msn/slplink.c	Mon May 24 06:27:03 2010 +0000
@@ -322,7 +322,7 @@
 #endif
 
 	slpmsg->msgs =
-		g_list_append(slpmsg->msgs, msg);
+		g_list_append(slpmsg->msgs, msn_message_ref(msg));
 	msn_slplink_send_msg(slplink, msg);
 
 	if ((slpmsg->flags == 0x20 || slpmsg->flags == 0x1000020 ||
@@ -381,6 +381,8 @@
 			}
 		}
 	}
+
+	msn_message_unref(msg);
 }
 
 /* We have received the message nak. */
@@ -394,6 +396,7 @@
 	msn_slplink_send_msgpart(slpmsg->slplink, slpmsg);
 
 	slpmsg->msgs = g_list_remove(slpmsg->msgs, msg);
+	msn_message_unref(msg);
 }
 
 static void
diff -r e432507151d1 -r 287fc4ac2bd9 libpurple/protocols/msn/slpmsg.c
--- a/libpurple/protocols/msn/slpmsg.c	Sun May 23 21:45:19 2010 +0000
+++ b/libpurple/protocols/msn/slpmsg.c	Mon May 24 06:27:03 2010 +0000
@@ -67,7 +67,7 @@
 	if (slpmsg->img == NULL)
 		g_free(slpmsg->buffer);
 
-	for (cur = slpmsg->msgs; cur != NULL; cur = cur->next)
+	for (cur = slpmsg->msgs; cur != NULL; cur = g_list_delete_link(cur, cur))
 	{
 		/* Something is pointing to this slpmsg, so we should remove that
 		 * pointer to prevent a crash. */
@@ -78,8 +78,8 @@
 		msg->ack_cb = NULL;
 		msg->nak_cb = NULL;
 		msg->ack_data = NULL;
+		msn_message_unref(msg);
 	}
-	g_list_free(slpmsg->msgs);
 
 	slplink->slp_msgs = g_list_remove(slplink->slp_msgs, slpmsg);