AsStore: hold a ref in hash_unique_id to avoid use-after-free (#149)

If we rely on the reference here being "borrowed" from priv->array,
then it's easy for that assumption to become unjustified. This
caused a crash for me in as_store_remove_app_by_id, which removes
the app from priv->array before it removes it from
priv->hash_unique_id; if no other code is holding a ref to the same
app, then as_app_get_unique_id() will be a use-after-free.

Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>

1 files changed, 2 insertions, 2 deletions

diff --git a/libappstream-glib/as-store.c b/libappstream-glib/as-store.c
index e1e9ce8..84b6292 100644
--- a/libappstream-glib/as-store.c
+++ b/libappstream-glib/as-store.c
@@ -1217,7 +1217,7 @@ as_store_add_app (AsStore *store, AsApp *app)
 	g_ptr_array_add (priv->array, g_object_ref (app));
 	g_hash_table_insert (priv->hash_unique_id,
 			     (gpointer) as_app_get_unique_id (app),
-			     app);
+			     g_object_ref (app));
 	pkgnames = as_app_get_pkgnames (app);
 	for (i = 0; i < pkgnames->len; i++) {
 		pkgname = g_ptr_array_index (pkgnames, i);
@@ -3416,7 +3416,7 @@ as_store_init (AsStore *store)
 	priv->hash_unique_id = g_hash_table_new_full (g_str_hash,
 						      g_str_equal,
 						      NULL,
-						      NULL);
+						      g_object_unref);
 	priv->hash_pkgname = g_hash_table_new_full (g_str_hash,
 						    g_str_equal,
 						    g_free,