1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
|
From: =?utf-8?q?Miloslav_Trma=C4=8D?= <mitr@redhat.com>
Date: Tue, 14 Apr 2015 22:27:41 +0200
Subject: Fix use-after-free in polkitagentsession.c
PolkitAgentTextListener's "completed" handler drops the last reference
to the session; in fact this is explicitly recommended in the signal's
documentation. So we must not access any members of session after
emitting the signal.
Found while dealing with
https://bugs.freedesktop.org/show_bug.cgi?id=69501
Origin: upstream, 0.113, commit:efb6cd56a423ba15bb1f44ee3c4987aad5a5fd45
---
src/polkitagent/polkitagentsession.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/polkitagent/polkitagentsession.c b/src/polkitagent/polkitagentsession.c
index 6a3d6bc..46fbaf0 100644
--- a/src/polkitagent/polkitagentsession.c
+++ b/src/polkitagent/polkitagentsession.c
@@ -412,8 +412,9 @@ complete_session (PolkitAgentSession *session,
{
if (G_UNLIKELY (_show_debug ()))
g_print ("PolkitAgentSession: emitting ::completed(%s)\n", result ? "TRUE" : "FALSE");
- g_signal_emit_by_name (session, "completed", result);
session->have_emitted_completed = TRUE;
+ /* Note that the signal handler may drop the last reference to session. */
+ g_signal_emit_by_name (session, "completed", result);
}
}
|