luc14n0/glib
1
0
Fork 0
mirror of https://gitlab.gnome.org/GNOME/glib.git synced 2025-02-23 18:52:09 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'backport-3297-use-after-free-gdbus-method-invocation-glib-2-74' into 'glib-2-74'

Browse Source 
Backport !3297 “gdbusinterfaceskeleton: Fix a use-after-free of a GDBusMethodInvocation” to glib-2-74

See merge request GNOME/glib!3298
This commit is contained in:
Simon McVittie 2023-03-02 12:32:23 +00:00
commit f34ab2af3e
2 changed files with 14 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
gio/gdbusconnection.c
View File

@ -5048,7 +5048,7 @@ schedule_method_call (GDBusConnection *connection,
g_source_set_priority (idle_source, G_PRIORITY_DEFAULT); g_source_set_priority (idle_source, G_PRIORITY_DEFAULT);
g_source_set_callback (idle_source, g_source_set_callback (idle_source,
call_in_idle_cb, call_in_idle_cb,
invocation, g_steal_pointer (&invocation),
g_object_unref); g_object_unref);
g_source_set_static_name (idle_source, "[gio, " __FILE__ "] call_in_idle_cb"); g_source_set_static_name (idle_source, "[gio, " __FILE__ "] call_in_idle_cb");
g_source_attach (idle_source, main_context); g_source_attach (idle_source, main_context);

24
gio/gdbusinterfaceskeleton.c
View File

@ -461,16 +461,18 @@ dbus_interface_interface_init (GDBusInterfaceIface *iface)
typedef struct typedef struct
{ {
gint ref_count; /* (atomic) */ gint ref_count; /* (atomic) */
GDBusInterfaceSkeleton *interface;
GDBusInterfaceMethodCallFunc method_call_func; GDBusInterfaceMethodCallFunc method_call_func;
GDBusMethodInvocation *invocation; GDBusMethodInvocation *invocation; /* (owned) */
} DispatchData; } DispatchData;
static void static void
dispatch_data_unref (DispatchData *data) dispatch_data_unref (DispatchData *data)
{ {
if (g_atomic_int_dec_and_test (&data->ref_count)) if (g_atomic_int_dec_and_test (&data->ref_count))
g_slice_free (DispatchData, data); {
g_clear_object (&data->invocation);
g_slice_free (DispatchData, data);
}
} }
static DispatchData * static DispatchData *
@ -502,16 +504,17 @@ dispatch_in_thread_func (GTask *task,
GCancellable *cancellable) GCancellable *cancellable)
{ {
DispatchData *data = task_data; DispatchData *data = task_data;
GDBusInterfaceSkeleton *interface = g_task_get_source_object (task);
GDBusInterfaceSkeletonFlags flags; GDBusInterfaceSkeletonFlags flags;
GDBusObject *object; GDBusObject *object;
gboolean authorized; gboolean authorized;
g_mutex_lock (&data->interface->priv->lock); g_mutex_lock (&interface->priv->lock);
flags = data->interface->priv->flags; flags = interface->priv->flags;
object = data->interface->priv->object; object = interface->priv->object;
if (object != NULL) if (object != NULL)
g_object_ref (object); g_object_ref (object);
g_mutex_unlock (&data->interface->priv->lock); g_mutex_unlock (&interface->priv->lock);
/* first check on the enclosing object (if any), then the interface */ /* first check on the enclosing object (if any), then the interface */
authorized = TRUE; authorized = TRUE;
@ -519,13 +522,13 @@ dispatch_in_thread_func (GTask *task,
{ {
g_signal_emit_by_name (object, g_signal_emit_by_name (object,
"authorize-method", "authorize-method",
data->interface, interface,
data->invocation, data->invocation,
&authorized); &authorized);
} }
if (authorized) if (authorized)
{ {
g_signal_emit (data->interface, g_signal_emit (interface,
signals[G_AUTHORIZE_METHOD_SIGNAL], signals[G_AUTHORIZE_METHOD_SIGNAL],
0, 0,
data->invocation, data->invocation,
@ -627,9 +630,8 @@ g_dbus_interface_method_dispatch_helper (GDBusInterfaceSkeleton *interface
DispatchData *data; DispatchData *data;
data = g_slice_new0 (DispatchData); data = g_slice_new0 (DispatchData);
data->interface = interface;
data->method_call_func = method_call_func; data->method_call_func = method_call_func;
data->invocation = invocation; data->invocation = g_object_ref (invocation);
data->ref_count = 1; data->ref_count = 1;
task = g_task_new (interface, NULL, NULL, NULL); task = g_task_new (interface, NULL, NULL, NULL);