From b3a9168eea65a6550d58002984668cdb1a8619ae Mon Sep 17 00:00:00 2001
From: Mike Gorse <mgorse@suse.com>
Date: Tue, 16 Jun 2020 15:17:39 -0500
Subject: Fix use after free when an event listener is destroyed

Properly remove event listeners from the list when they are deregistered.
Fixes a crash that can happen when orca exits. Similar issue to
https://gitlab.gnome.org/GNOME/at-spi2-core/issues/22
---
 atspi/atspi-event-listener.c | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/atspi/atspi-event-listener.c b/atspi/atspi-event-listener.c
index 249890b6..d85321cd 100644
--- a/atspi/atspi-event-listener.c
+++ b/atspi/atspi-event-listener.c
@@ -815,12 +815,9 @@ atspi_event_listener_deregister_from_callback (AtspiEventListenerCB callback,
         is_superset (name, e->name) &&
         is_superset (detail, e->detail))
     {
-      gboolean need_replace;
       DBusMessage *message, *reply;
-      need_replace = (l == event_listeners);
-      l = g_list_remove (l, e);
-      if (need_replace)
-        event_listeners = l;
+      l = g_list_next (l);
+      event_listeners = g_list_remove (event_listeners, e);
       for (i = 0; i < matchrule_array->len; i++)
       {
 	char *matchrule = g_ptr_array_index (matchrule_array, i);
@@ -839,7 +836,8 @@ atspi_event_listener_deregister_from_callback (AtspiEventListenerCB callback,
 
       listener_entry_free (e);
     }
-    else l = g_list_next (l);
+    else
+      l = g_list_next (l);
   }
   g_free (category);
   g_free (name);
-- 
cgit v1.2.1