diff options
author | Simon McVittie <smcv@debian.org> | 2017-01-26 20:27:33 +0000 |
---|---|---|
committer | Richard Hughes <richard@hughsie.com> | 2017-01-26 20:27:33 +0000 |
commit | c8777211378b38f6ac5fdc724965baad18d123b0 (patch) | |
tree | b98406ee32aa697aac1edbd37a2af8b2712abac6 /libappstream-glib/as-store.c | |
parent | d2c446bf250b07d8f444531ca527c3edcdec1f13 (diff) | |
download | appstream-glib-c8777211378b38f6ac5fdc724965baad18d123b0.tar.gz |
AsStore: hold a ref in hash_unique_id to avoid use-after-free (#149)
If we rely on the reference here being "borrowed" from priv->array,
then it's easy for that assumption to become unjustified. This
caused a crash for me in as_store_remove_app_by_id, which removes
the app from priv->array before it removes it from
priv->hash_unique_id; if no other code is holding a ref to the same
app, then as_app_get_unique_id() will be a use-after-free.
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Diffstat (limited to 'libappstream-glib/as-store.c')
-rw-r--r-- | libappstream-glib/as-store.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/libappstream-glib/as-store.c b/libappstream-glib/as-store.c index e1e9ce8..84b6292 100644 --- a/libappstream-glib/as-store.c +++ b/libappstream-glib/as-store.c @@ -1217,7 +1217,7 @@ as_store_add_app (AsStore *store, AsApp *app) g_ptr_array_add (priv->array, g_object_ref (app)); g_hash_table_insert (priv->hash_unique_id, (gpointer) as_app_get_unique_id (app), - app); + g_object_ref (app)); pkgnames = as_app_get_pkgnames (app); for (i = 0; i < pkgnames->len; i++) { pkgname = g_ptr_array_index (pkgnames, i); @@ -3416,7 +3416,7 @@ as_store_init (AsStore *store) priv->hash_unique_id = g_hash_table_new_full (g_str_hash, g_str_equal, NULL, - NULL); + g_object_unref); priv->hash_pkgname = g_hash_table_new_full (g_str_hash, g_str_equal, g_free, |