[glib/glib-2-30] g_data_set_internal: avoid use-after-free if datalist is in dataset

[Simon McVittie <smcv src gnome org>]

commit 78c358a48d5dadf49577169bbe3a4190615ca9e0
Author: Simon McVittie <simon mcvittie collabora co uk>
Date:   Tue Dec 13 14:44:18 2011 +0000

    g_data_set_internal: avoid use-after-free if datalist is in dataset
    
    Removing the last thing in a dataset frees the dataset, and if the
    datalist was in a dataset, we can't safely unlock it after the dataset
    has been freed. Unlock it sooner.
    
    Signed-off-by: Simon McVittie <simon mcvittie collabora co uk>
    Bug: https://bugzilla.gnome.org/show_bug.cgi?id=666113
    Reviewed-by: Matthias Clasen <mclasen redhat com>

 glib/gdataset.c |   10 ++++++++--
 1 files changed, 8 insertions(+), 2 deletions(-)
---
diff --git a/glib/gdataset.c b/glib/gdataset.c
index ce6d1b7..715b31d 100644
--- a/glib/gdataset.c
+++ b/glib/gdataset.c
@@ -386,6 +386,10 @@ g_data_set_internal (GData	  **datalist,
 		    {
 		      G_DATALIST_SET_POINTER (datalist, NULL);
 		      g_free (d);
+		      /* datalist may be situated in dataset, so must not be
+		       * unlocked after we free it
+		       */
+		      g_datalist_unlock (datalist);
 
 		      /* the dataset destruction *must* be done
 		       * prior to invocation of the data destroy function
@@ -393,8 +397,10 @@ g_data_set_internal (GData	  **datalist,
 		      if (dataset)
 			g_dataset_destroy_internal (dataset);
 		    }
-
-		  g_datalist_unlock (datalist);
+		  else
+		    {
+		      g_datalist_unlock (datalist);
+		    }
 
 		  /* We found and removed an old value
 		   * the GData struct *must* already be unlinked