From 01404fbe83b0e3555e7eb76b02d6ecf672e142b4 Mon Sep 17 00:00:00 2001 From: Matthias Clasen Date: Wed, 6 Jul 2016 19:10:33 -0400 Subject: [PATCH] Avoid a use-after-free Instead of pulling parent_window out of a copy of the environment and having it go bad when we free the copy, move the definition of GAppLaunchContextPrivate up and use the envp member without copying in. Pointed out by Cosimo Cecchi. --- gio/gappinfo.c | 17 ++++++----------- 1 file changed, 6 insertions(+), 11 deletions(-) diff --git a/gio/gappinfo.c b/gio/gappinfo.c index ad3b999cc..f19e40197 100644 --- a/gio/gappinfo.c +++ b/gio/gappinfo.c @@ -90,6 +90,10 @@ * different ideas of what a given URI means. */ +struct _GAppLaunchContextPrivate { + char **envp; +}; + typedef GAppInfoIface GAppInfoInterface; G_DEFINE_INTERFACE (GAppInfo, g_app_info, G_TYPE_OBJECT) @@ -683,13 +687,8 @@ launch_default_with_portal (const char *uri, if (session_bus == NULL) return FALSE; - if (context) - { - char **env; - env = g_app_launch_context_get_environment (context); - parent_window = g_environ_getenv (env, "PARENT_WINDOW_ID"); - g_strfreev (env); - } + if (context && context->priv->envp) + parent_window = g_environ_getenv (context->priv->envp, "PARENT_WINDOW_ID"); g_variant_builder_init (&opt_builder, G_VARIANT_TYPE_VARDICT); @@ -841,10 +840,6 @@ enum { LAST_SIGNAL }; -struct _GAppLaunchContextPrivate { - char **envp; -}; - static guint signals[LAST_SIGNAL] = { 0 }; G_DEFINE_TYPE_WITH_PRIVATE (GAppLaunchContext, g_app_launch_context, G_TYPE_OBJECT)