From f8cecd5058a09d94aaa669168d124882b396dcea Mon Sep 17 00:00:00 2001 From: Simon McVittie Date: Tue, 3 May 2011 11:59:44 +0100 Subject: [PATCH 4/6] dbus_g_connection_unregister_g_object: fix out-of-bounds reading The list of registrations is singly linked; we only avoid a crash here by luck. Bug: https://bugs.freedesktop.org/show_bug.cgi?id=36793 --- dbus/dbus-gobject.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) diff --git a/dbus/dbus-gobject.c b/dbus/dbus-gobject.c index bddcd1b..f130bb6 100644 --- a/dbus/dbus-gobject.c +++ b/dbus/dbus-gobject.c @@ -2498,12 +2498,12 @@ void dbus_g_connection_unregister_g_object (DBusGConnection *connection, GObject *object) { - GList *registrations, *iter; + GSList *registrations, *iter; /* Copy the list before iterating it: it will be modified in * object_registration_free() each time an object path is unregistered. */ - registrations = g_list_copy (g_object_get_data (object, "dbus_glib_object_registrations")); + registrations = g_slist_copy (g_object_get_data (object, "dbus_glib_object_registrations")); g_return_if_fail (registrations != NULL); @@ -2514,7 +2514,7 @@ dbus_g_connection_unregister_g_object (DBusGConnection *connection, o->object_path); } - g_list_free (registrations); + g_slist_free (registrations); g_assert (g_object_get_data (object, "dbus_glib_object_registrations") == NULL); } -- 1.7.4.4