luc14n0/glib
1
0
Fork 0
mirror of https://gitlab.gnome.org/GNOME/glib.git synced 2024-12-25 23:16:14 +01:00
Code Issues Packages Projects Releases Wiki Activity

gsocketclient: Fix a use-after-free in g_socket_client_connected_callback()

Browse Source 
The ref held by `data->task` may be the last one on the `GTask`. The
`GTask` stores `attempt->data` as its task data, and so when the `GTask`
is finalised, `attempt->data` is too. `connection_attempt_remove()`
needs to access `attempt->data`, so must be called before the
`g_object_unref()` in this situation.

Signed-off-by: Philip Withnall <pwithnall@gnome.org>

Fixes: #3266
This commit is contained in:
Philip Withnall 2024-02-26 15:26:03 +00:00
parent 5b022f903c
commit 9a661ab970
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
gio/gsocketclient.c
View File

@ -1931,9 +1931,9 @@ g_socket_client_connected_callback (GObject *source,
if (task_completed_or_cancelled (data) || g_cancellable_is_cancelled (attempt->cancellable)) if (task_completed_or_cancelled (data) || g_cancellable_is_cancelled (attempt->cancellable))
{ {
g_object_unref (data->task);
connection_attempt_remove (attempt); connection_attempt_remove (attempt);
connection_attempt_unref (attempt); connection_attempt_unref (attempt);
g_object_unref (data->task);
return; return;
} }