Fix use after free when an event listener is destroyedgnome-3-34

Properly remove event listeners from the list when they are deregistered. Fixes a crash that can happen when orca exits. Similar issue to https://gitlab.gnome.org/GNOME/at-spi2-core/issues/22
author: Mike Gorse <mgorse@suse.com> 2020-06-16 15:17:39 -0500
committer: Mike Gorse <mgorse@suse.com> 2020-06-16 15:20:08 -0500
commit: b3a9168eea65a6550d58002984668cdb1a8619ae (patch)
tree: 3534852129f4af4cfadda3600c73b1beccdc832e
parent: fe08837fcfda9017283184cec483015e64b14a12 (diff)
download: at-spi2-core-gnome-3-34.tar.gz
1 files changed, 4 insertions, 6 deletions
diff --git a/atspi/atspi-event-listener.c b/atspi/atspi-event-listener.c
index 249890b6..d85321cd 100644
--- a/atspi/atspi-event-listener.c
+++ b/atspi/atspi-event-listener.c
@@ -815,12 +815,9 @@ atspi_event_listener_deregister_from_callback (AtspiEventListenerCB callback,
         is_superset (name, e->name) &&
         is_superset (detail, e->detail))
     {
-      gboolean need_replace;
       DBusMessage *message, *reply;
-      need_replace = (l == event_listeners);
-      l = g_list_remove (l, e);
-      if (need_replace)
-        event_listeners = l;
+      l = g_list_next (l);
+      event_listeners = g_list_remove (event_listeners, e);
       for (i = 0; i < matchrule_array->len; i++)
       {
 	char *matchrule = g_ptr_array_index (matchrule_array, i);
@@ -839,7 +836,8 @@ atspi_event_listener_deregister_from_callback (AtspiEventListenerCB callback,
 
       listener_entry_free (e);
     }
-    else l = g_list_next (l);
+    else
+      l = g_list_next (l);
   }
   g_free (category);
   g_free (name);
author	Mike Gorse <mgorse@suse.com>	2020-06-16 15:17:39 -0500
committer	Mike Gorse <mgorse@suse.com>	2020-06-16 15:20:08 -0500
commit	b3a9168eea65a6550d58002984668cdb1a8619ae (patch)
tree	3534852129f4af4cfadda3600c73b1beccdc832e
parent	fe08837fcfda9017283184cec483015e64b14a12 (diff)
download	at-spi2-core-gnome-3-34.tar.gz