Commit 523fe32b authored by Milan Crha's avatar Milan Crha

secret-file-backend: Fix use-after-free in flatpak

The on_portal_retrieve_secret() can connect a GCancellable, but it
doesn't disconnect from it (only when the cancellable is cancelled),
which means when the cancellable is cancelled later, when the GTask
is gone, the callback is called with already freed data.
parent eb4f967e
Pipeline #161981 passed with stages
in 5 minutes and 7 seconds
...@@ -231,6 +231,11 @@ on_portal_response (GDBusConnection *connection, ...@@ -231,6 +231,11 @@ on_portal_response (GDBusConnection *connection,
InitClosure *init = g_task_get_task_data (task); InitClosure *init = g_task_get_task_data (task);
guint32 response; guint32 response;
if (init->cancellable_signal_id) {
g_cancellable_disconnect (g_task_get_cancellable (task), init->cancellable_signal_id);
init->cancellable_signal_id = 0;
g_dbus_connection_signal_unsubscribe (connection, g_dbus_connection_signal_unsubscribe (connection,
init->portal_signal_id); init->portal_signal_id);
...@@ -303,6 +308,7 @@ on_portal_cancel (GCancellable *cancellable, ...@@ -303,6 +308,7 @@ on_portal_cancel (GCancellable *cancellable,
task); task);
g_cancellable_disconnect (cancellable, init->cancellable_signal_id); g_cancellable_disconnect (cancellable, init->cancellable_signal_id);
init->cancellable_signal_id = 0;
} }
static void static void
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment