Double-free if cd_icc_load_handle() returns error
We've had a report in Debian of a crash when plugging in a Thunderbolt docking station, very similar to gnome-shell#6162 (closed): https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031847.
gnome-shell#6162 (closed) was believed to be caused by https://github.com/mm2/Little-CMS/issues/344 or by https://github.com/hughsie/colord/issues/145, but Debian's lcms already has https://github.com/mm2/Little-CMS/commit/a9e4601ceb3a185d4f78cc0cfbd285cf0c399e9d applied as a patch, and the reporter of the Debian bug says that applying https://github.com/hughsie/colord/pull/146 does not solve this for them.
While looking at the relevant code in mutter, I noticed another possible cause for this symptom. If the profile is considered invalid such that cd_icc_load() fails, then cd_icc_load_handle() will take ownership and eventually free it with cmsCloseProfile
when the CdIcc object is destroyed, but mutter will also call cmsCloseProfile
as a result of the cd_icc_load_handle() failure, causing a double-free.
I do not have hardware suitable for reproducing this myself.