From f36381131b6f410333a9a823a4fc131ac799394f Mon Sep 17 00:00:00 2001 From: Simon McVittie Date: Thu, 26 Mar 2009 18:00:16 +0000 Subject: [PATCH] fd.o#20884: dbus_g_proxy_manager_replace_name_owner: don't leave freed memory in the hash table if the name was the owner's first Here's a situation where this code would fail: * an owner :1.42 owns a name com.Example and a name org.Example * the owner_names hash table contains { :1.42 => c }, where c is a GSList link with data = "com.Example", next = o and o is a GSList link with data = "org.Example", next = NULL * the name owner for com.Example changes so :1.42 no longer owns the name * initially, names == c * g_slist_delete_link unlinks and frees c, and sets names = o * but c is still in the hash table, so next time we look in the hash table, we crash The fix is to replace c with o in the owner_names hash table. --- dbus/dbus-gproxy.c | 13 ++++++++++--- 1 files changed, 10 insertions(+), 3 deletions(-) diff --git a/dbus/dbus-gproxy.c b/dbus/dbus-gproxy.c index b379c20..572b7fb 100644 --- a/dbus/dbus-gproxy.c +++ b/dbus/dbus-gproxy.c @@ -753,9 +753,16 @@ dbus_g_proxy_manager_replace_name_owner (DBusGProxyManager *manager, names = g_slist_delete_link (names, link); - if (names == NULL) - g_hash_table_remove (manager->owner_names, prev_owner); - } + if (names == NULL) + { + g_hash_table_remove (manager->owner_names, prev_owner); + } + else + { + g_hash_table_insert (manager->owner_names, + g_strdup (prev_owner), names); + } + } } if (new_owner[0] == '\0') -- 1.6.2.1