Mercurial > pidgin

changeset 30089:287fc4ac2bd9

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Add and remove an extra ref per MsnMessage when saving it in a slpmsg, to fix a possible use-after-free from valgrind. Also, don't traverse slpmsg->msgs twice.
author Elliott Sales de Andrade <qulogic@pidgin.im>
date Mon, 24 May 2010 06:27:03 +0000
parents e432507151d1
children c575fdb5022c
files libpurple/protocols/msn/slplink.c libpurple/protocols/msn/slpmsg.c
diffstat 2 files changed, 6 insertions(+), 3 deletions(-) [+]
line wrap: on
line diff
--- a/libpurple/protocols/msn/slplink.c	Sun May 23 21:45:19 2010 +0000
+++ b/libpurple/protocols/msn/slplink.c	Mon May 24 06:27:03 2010 +0000
@@ -322,7 +322,7 @@
 #endif
 
 	slpmsg->msgs =
-		g_list_append(slpmsg->msgs, msg);
+		g_list_append(slpmsg->msgs, msn_message_ref(msg));
 	msn_slplink_send_msg(slplink, msg);
 
 	if ((slpmsg->flags == 0x20 || slpmsg->flags == 0x1000020 ||
@@ -381,6 +381,8 @@
 			}
 		}
 	}
+
+	msn_message_unref(msg);
 }
 
 /* We have received the message nak. */
@@ -394,6 +396,7 @@
 	msn_slplink_send_msgpart(slpmsg->slplink, slpmsg);
 
 	slpmsg->msgs = g_list_remove(slpmsg->msgs, msg);
+	msn_message_unref(msg);
 }
 
 static void
--- a/libpurple/protocols/msn/slpmsg.c	Sun May 23 21:45:19 2010 +0000
+++ b/libpurple/protocols/msn/slpmsg.c	Mon May 24 06:27:03 2010 +0000
@@ -67,7 +67,7 @@
 	if (slpmsg->img == NULL)
 		g_free(slpmsg->buffer);
 
-	for (cur = slpmsg->msgs; cur != NULL; cur = cur->next)
+	for (cur = slpmsg->msgs; cur != NULL; cur = g_list_delete_link(cur, cur))
 	{
 		/* Something is pointing to this slpmsg, so we should remove that
 		 * pointer to prevent a crash. */
@@ -78,8 +78,8 @@
 		msg->ack_cb = NULL;
 		msg->nak_cb = NULL;
 		msg->ack_data = NULL;
+		msn_message_unref(msg);
 	}
-	g_list_free(slpmsg->msgs);
 
 	slplink->slp_msgs = g_list_remove(slplink->slp_msgs, slpmsg);