gmenuexporter: Fix a NULL pointer dereference on an error handling path
This latent bug wasn’t triggered until commit 3f30ec86 (or its
cherry-pick onto glib-2-80
, 747e3af9, which was first released in
2.80.1).
That change means that g_menu_exporter_free()
is now called on the
registration failure path by g_dbus_connection_register_object()
before it returns. The caller then tries to call g_slice_free()
on the
exporter again. The call to g_menu_exporter_free()
tries to
dereference/free members of the exporter which it expects to be
initialised — but because this is happening in an error handling path,
they are not initialised.
If it were to get any further, the g_slice_free()
would then be a
double-free on the exporter allocation.
Fix that by making g_menu_exporter_free()
robust to some of the
exporter members being NULL
, and moving some of the initialisation
code higher in g_dbus_connection_export_menu_model()
, and removing the
duplicate free code on the error handling path.
This includes a unit test.
Signed-off-by: Philip Withnall pwithnall@gnome.org
Fixes: #3366 (closed)