[glib/glib-2-28] _g_dbus_worker_new: ref worker until after _g_dbus_worker_thread_begin_func

[David Zeuthen <davidz src gnome org>]

commit f021522b9648d21fcfcf2bb066ede0ce3a0e9a99
Author: Simon McVittie <simon mcvittie collabora co uk>
Date:   Mon Sep 12 18:44:58 2011 +0100

    _g_dbus_worker_new: ref worker until after _g_dbus_worker_thread_begin_func
    
    Otherwise, if the caller of _g_dbus_worker_new immediately unrefs the
    worker, calling _g_dbus_worker_thread_begin_func in the worker thread
    could be a use-after-free.
    
    Bug: https://bugzilla.gnome.org/show_bug.cgi?id=651268
    Bug-NB: NB#271520
    Signed-off-by: Simon McVittie <simon mcvittie collabora co uk>
    Signed-off-by: David Zeuthen <davidz redhat com>

 gio/gdbusprivate.c |    5 ++++-
 1 files changed, 4 insertions(+), 1 deletions(-)
---
diff --git a/gio/gdbusprivate.c b/gio/gdbusprivate.c
index 0cfffbb..ea902c6 100644
--- a/gio/gdbusprivate.c
+++ b/gio/gdbusprivate.c
@@ -1606,6 +1606,8 @@ _g_dbus_worker_thread_begin_func (gpointer user_data)
 
   /* begin reading */
   _g_dbus_worker_do_read (worker);
+
+  _g_dbus_worker_unref (worker);
 }
 
 GDBusWorker *
@@ -1646,7 +1648,8 @@ _g_dbus_worker_new (GIOStream                              *stream,
   if (G_IS_SOCKET_CONNECTION (worker->stream))
     worker->socket = g_socket_connection_get_socket (G_SOCKET_CONNECTION (worker->stream));
 
-  _g_dbus_shared_thread_ref (_g_dbus_worker_thread_begin_func, worker);
+  _g_dbus_shared_thread_ref (_g_dbus_worker_thread_begin_func,
+                             _g_dbus_worker_ref (worker));
 
   return worker;
 }