diff options
author | Miloslav Trmač <mitr@redhat.com> | 2015-04-14 22:27:41 +0200 |
---|---|---|
committer | Miloslav Trmač <mitr@redhat.com> | 2015-06-23 18:57:56 +0200 |
commit | efb6cd56a423ba15bb1f44ee3c4987aad5a5fd45 (patch) | |
tree | 845078be27b984924f7f1183a64d668a3811a169 | |
parent | 9f5e0c731784003bd4d6fc75ab739ff8b2ea269f (diff) | |
download | polkit-efb6cd56a423ba15bb1f44ee3c4987aad5a5fd45.tar.gz |
Fix use-after-free in polkitagentsession.c
PolkitAgentTextListener's "completed" handler drops the last reference
to the session; in fact this is explicitly recommended in the signal's
documentation. So we must not access any members of session after
emitting the signal.
Found while dealing with
https://bugs.freedesktop.org/show_bug.cgi?id=69501
-rw-r--r-- | src/polkitagent/polkitagentsession.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/src/polkitagent/polkitagentsession.c b/src/polkitagent/polkitagentsession.c index 8b93ad0..895d75e 100644 --- a/src/polkitagent/polkitagentsession.c +++ b/src/polkitagent/polkitagentsession.c @@ -412,8 +412,9 @@ complete_session (PolkitAgentSession *session, { if (G_UNLIKELY (_show_debug ())) g_print ("PolkitAgentSession: emitting ::completed(%s)\n", result ? "TRUE" : "FALSE"); - g_signal_emit_by_name (session, "completed", result); session->have_emitted_completed = TRUE; + /* Note that the signal handler may drop the last reference to session. */ + g_signal_emit_by_name (session, "completed", result); } } |