summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSascha Silbe <silbe@activitycentral.com>2012-05-22 21:10:49 +0200
committerRichard Hughes <richard@hughsie.com>2012-05-30 16:19:25 +0100
commit79c11814cd9392ae928a7352f496dbe7a0aacd67 (patch)
tree93121f34cce2f340d16d6f57c968bcc8d9c32e45
parenta75501f9d12da32690a91410b0e4d1ed020e01f6 (diff)
Fix use-after-free of qos item
up_qos_init() registers a destroyer callback for the qos item array, so the current item will be gone after the calls to g_ptr_array_remove(). By storing the item kind in a local variable we can pass it to up_qos_latency_perhaps_changed() later. Delaying the removal from the array is not an option as up_qos_latency_perhaps_changed() scans that array to re-evaluate the target latency. Signed-off-by: Richard Hughes <richard@hughsie.com>
-rw-r--r--src/up-qos.c8
1 files changed, 6 insertions, 2 deletions
diff --git a/src/up-qos.c b/src/up-qos.c
index 9484931..167ba2a 100644
--- a/src/up-qos.c
+++ b/src/up-qos.c
@@ -355,6 +355,7 @@ up_qos_cancel_request (UpQos *qos, guint cookie, DBusGMethodInvocation *context)
GError *error;
gchar *sender = NULL;
PolkitSubject *subject = NULL;
+ UpQosKind item_kind;
/* find the correct cookie */
item = up_qos_find_from_cookie (qos, cookie);
@@ -387,8 +388,9 @@ up_qos_cancel_request (UpQos *qos, guint cookie, DBusGMethodInvocation *context)
g_debug ("Clear #%i", cookie);
/* remove object from list */
+ item_kind = up_qos_item_get_kind (item);
g_ptr_array_remove (qos->priv->data, item);
- up_qos_latency_perhaps_changed (qos, up_qos_item_get_kind (item));
+ up_qos_latency_perhaps_changed (qos, item_kind);
/* TODO: if persistent remove from datadase */
@@ -497,6 +499,7 @@ up_qos_remove_dbus (UpQos *qos, const gchar *sender)
guint i;
GPtrArray *data;
UpQosItem *item;
+ UpQosKind item_kind;
/* remove *any* senders that match the sender */
data = qos->priv->data;
@@ -504,8 +507,9 @@ up_qos_remove_dbus (UpQos *qos, const gchar *sender)
item = g_ptr_array_index (data, i);
if (strcmp (up_qos_item_get_sender (item), sender) == 0) {
g_debug ("Auto-revoked idle qos on %s", sender);
+ item_kind = up_qos_item_get_kind (item);
g_ptr_array_remove (qos->priv->data, item);
- up_qos_latency_perhaps_changed (qos, up_qos_item_get_kind (item));
+ up_qos_latency_perhaps_changed (qos, item_kind);
}
}
}