From: Daniel Vrátil <dvratil@kde.org>
Date: Tue, 21 Jun 2016 09:54:43 +0000
Subject: Fix read-after-free in CollectionStatistics
X-Git-Url: http://quickgit.kde.org/?p=akonadi.git&a=commitdiff&h=6f32336be990362c7f74d17f6225bc7345242f6c
---
Fix read-after-free in CollectionStatistics

CollectionStatistics lives in a separate thread. Returning the Statistics
structure as a reference to other threads than means that the structure
can be deleted in the CollectionStatistics thread while other threads
are still holding a reference. We now return a copy of the Statistics
struct instead, it's just four ints.

Thanks to Andreas Schneider for pointing out the issue.
---


--- a/src/server/handler/status.cpp
+++ b/src/server/handler/status.cpp
@@ -39,7 +39,7 @@
         return failureResponse("No status for this folder");
     }
 
-    const CollectionStatistics::Statistics &stats = CollectionStatistics::self()->statistics(col);
+    const CollectionStatistics::Statistics stats = CollectionStatistics::self()->statistics(col);
     if (stats.count == -1) {
         return failureResponse("Failed to query statistics.");
     }

--- a/src/server/handlerhelper.cpp
+++ b/src/server/handlerhelper.cpp
@@ -123,7 +123,7 @@
     response.setIsVirtual(col.isVirtual());
 
     if (includeStatistics) {
-        const CollectionStatistics::Statistics &stats = CollectionStatistics::self()->statistics(col);
+        const CollectionStatistics::Statistics stats = CollectionStatistics::self()->statistics(col);
         if (stats.count > -1) {
             Protocol::FetchCollectionStatsResponse statsResponse(stats.count,
                                                                  stats.count - stats.read,

--- a/src/server/storage/collectionstatistics.cpp
+++ b/src/server/storage/collectionstatistics.cpp
@@ -45,7 +45,7 @@
     mCache.remove(col.id());
 }
 
-const CollectionStatistics::Statistics &CollectionStatistics::statistics(const Collection &col)
+const CollectionStatistics::Statistics CollectionStatistics::statistics(const Collection &col)
 {
     QMutexLocker lock(&mCacheLock);
     auto it = mCache.find(col.id());

--- a/src/server/storage/collectionstatistics.h
+++ b/src/server/storage/collectionstatistics.h
@@ -53,7 +53,7 @@
 
     static CollectionStatistics *self();
 
-    const Statistics &statistics(const Collection &col);
+    const Statistics statistics(const Collection &col);
     void invalidateCollection(const Collection &col);
 
 private: