[empathy] dispatcher_connection_new_requested_channel: fix a use-after-free crash

[Guillaume Desmottes <gdesmott src gnome org>]

commit 4219fa9dd2a048563bd6684a0bfba08dd1629759
Author: Guillaume Desmottes <guillaume desmottes collabora co uk>
Date:   Tue Feb 16 11:53:41 2010 +0000

    dispatcher_connection_new_requested_channel: fix a use-after-free crash
    
    If an error occurs when requesting the channel, we call
    dispatcher_request_failed which as the side effect of destroying the
    DispatcherRequestData. When calling dispatcher_flush_outstanding_operations
    we used to deference this pointer.
    Fixes this crash by using the "self" pointer instead and reffing it to be sure
    it stays valid.

 libempathy/empathy-dispatcher.c |   10 ++++++++--
 1 files changed, 8 insertions(+), 2 deletions(-)
---
diff --git a/libempathy/empathy-dispatcher.c b/libempathy/empathy-dispatcher.c
index 201e484..70f97f9 100644
--- a/libempathy/empathy-dispatcher.c
+++ b/libempathy/empathy-dispatcher.c
@@ -1316,6 +1316,12 @@ dispatcher_connection_new_requested_channel (EmpathyDispatcher *self,
   EmpathyDispatchOperation *operation = NULL;
   ConnectionData *conn_data;
 
+  /* The DispatcherRequestData owns a ref on the self object. As the request
+   * data could be destroyed (when calling dispatcher_request_failed for
+   * example) we keep a ref on self to be sure it stays alive while we are
+   * executing this function. */
+  g_object_ref (self);
+
   conn_data = g_hash_table_lookup (priv->connections,
     request_data->connection);
 
@@ -1398,8 +1404,8 @@ dispatcher_connection_new_requested_channel (EmpathyDispatcher *self,
   g_object_unref (operation);
 
 out:
-  dispatcher_flush_outstanding_operations (request_data->dispatcher,
-    conn_data);
+  dispatcher_flush_outstanding_operations (self, conn_data);
+  g_object_unref (self);
 }
 
 static void