Mercurial > pidgin

changeset 30131:d60313011111

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Fix a read-after-free from valgrind: Invalid read of size 8 at 0x9BD2816: purple_upnp_cancel_port_mapping (upnp.c:931) by 0x9BAEF41: purple_network_listen_cancel (network.c:585) by 0x1A49D7FD: msn_dc_destroy (directconn.c:204) Address 0x19c3c748 is 8 bytes inside a block of size 16 free'd at 0x4C239BF: free (vg_replace_malloc.c:325) by 0xBC1EB97: g_slist_delete_link (gslist.c:446) by 0x9BD2815: purple_upnp_cancel_port_mapping (upnp.c:928) by 0x9BAEF41: purple_network_listen_cancel (network.c:585) by 0x1A49D7FD: msn_dc_destroy (directconn.c:204)
author Elliott Sales de Andrade <qulogic@pidgin.im>
date Sat, 29 May 2010 22:52:14 +0000
parents 74776878c055
children f5d4d3800e81
files libpurple/upnp.c
diffstat 1 files changed, 7 insertions(+), 4 deletions(-) [+]
line wrap: on
line diff
--- a/libpurple/upnp.c	Sat May 29 22:27:26 2010 +0000
+++ b/libpurple/upnp.c	Sat May 29 22:52:14 2010 +0000
@@ -921,15 +921,18 @@
 	/* Remove ar from discovery_callbacks if present; it was inserted after a cb.
 	 * The same cb may be in the list multiple times, so be careful to remove
 	 * the one associated with ar. */
-	l  = discovery_callbacks;
+	l = discovery_callbacks;
 	while (l)
 	{
-		if (l->next && (l->next->data == ar)) {
-			discovery_callbacks = g_slist_delete_link(discovery_callbacks, l->next);
+		GSList *next = l->next;
+
+		if (next && (next->data == ar)) {
+			discovery_callbacks = g_slist_delete_link(discovery_callbacks, next);
+			next = l->next;
 			discovery_callbacks = g_slist_delete_link(discovery_callbacks, l);
 		}
 
-		l = l->next;
+		l = next;
 	}
 
 	if (ar->tima > 0)