Commit c49a4dba authored by Simon McVittie's avatar Simon McVittie

g_data_set_internal: avoid use-after-free if datalist is in dataset

Removing the last thing in a dataset frees the dataset, and if the
datalist was in a dataset, we can't safely unlock it after the dataset
has been freed. Unlock it sooner.
Signed-off-by: Simon McVittie's avatarSimon McVittie <simon.mcvittie@collabora.co.uk>
Bug: https://bugzilla.gnome.org/show_bug.cgi?id=666113Reviewed-by: Matthias Clasen's avatarMatthias Clasen <mclasen@redhat.com>
parent 0bf83788
......@@ -387,6 +387,10 @@ g_data_set_internal (GData **datalist,
{
G_DATALIST_SET_POINTER (datalist, NULL);
g_free (d);
/* datalist may be situated in dataset, so must not be
* unlocked after we free it
*/
g_datalist_unlock (datalist);
/* the dataset destruction *must* be done
* prior to invocation of the data destroy function
......@@ -394,8 +398,10 @@ g_data_set_internal (GData **datalist,
if (dataset)
g_dataset_destroy_internal (dataset);
}
g_datalist_unlock (datalist);
else
{
g_datalist_unlock (datalist);
}
/* We found and removed an old value
* the GData struct *must* already be unlinked
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment