[gimp] Bug 685445 - color-to-alpha plugin crashes (use-after-free)

[Michael Natterer <mitch src gnome org>]

commit 0a5059da519ce4831e485ecee37863306c445c73
Author: Michael Natterer <mitch gimp org>
Date:   Mon Oct 22 19:03:00 2012 +0200

    Bug 685445 - color-to-alpha plugin crashes (use-after-free)
    
    gimp_tile_put(): make sure we don't free libgimp's tile data twice in
    the non-SHM case. I could never reproduce the bug, but I'm pretty sure
    this fixes it. The change in gimpprotocol.c is just cleanup.

 libgimp/gimptile.c         |    3 +++
 libgimpbase/gimpprotocol.c |    7 ++++++-
 2 files changed, 9 insertions(+), 1 deletions(-)
---
diff --git a/libgimp/gimptile.c b/libgimp/gimptile.c
index fc3d261..470dafb 100644
--- a/libgimp/gimptile.c
+++ b/libgimp/gimptile.c
@@ -274,6 +274,9 @@ gimp_tile_put (GimpTile *tile)
   if (! gp_tile_data_write (_writechannel, &tile_data, NULL))
     gimp_quit ();
 
+  if (! tile_info->use_shm)
+    tile_data.data = NULL;
+
   gimp_wire_destroy (&msg);
 
   gimp_read_expect_msg (&msg, GP_TILE_ACK);
diff --git a/libgimpbase/gimpprotocol.c b/libgimpbase/gimpprotocol.c
index ab0bdc8..4b61bc7 100644
--- a/libgimpbase/gimpprotocol.c
+++ b/libgimpbase/gimpprotocol.c
@@ -833,7 +833,12 @@ _gp_tile_data_destroy (GimpWireMessage *msg)
 
   if  (tile_data)
     {
-      g_free (tile_data->data);
+      if (tile_data->data)
+        {
+          g_free (tile_data->data);
+          tile_data->data = NULL;
+        }
+
       g_slice_free (GPTileData, tile_data);
     }
 }