[gnome-panel] Use-after-free in panel_object_loader_stop_loading()

[Milan Crha <mcrha src gnome org>]

commit 686c3cf5c4dfa87b1bd04006c36cb2191eda41b3
Author: Milan Crha <mcrha redhat com>
Date:   Fri Oct 26 15:19:35 2012 +0200

    Use-after-free in panel_object_loader_stop_loading()
    
    https://bugzilla.gnome.org/show_bug.cgi?id=686445

 gnome-panel/panel-object-loader.c |   11 +++++++++--
 1 files changed, 9 insertions(+), 2 deletions(-)
---
diff --git a/gnome-panel/panel-object-loader.c b/gnome-panel/panel-object-loader.c
index 4480c95..210506b 100644
--- a/gnome-panel/panel-object-loader.c
+++ b/gnome-panel/panel-object-loader.c
@@ -109,10 +109,15 @@ panel_object_loader_stop_loading (const char *id)
 {
         PanelObjectToLoad *object;
         GSList *l;
+        char *tmp_id;
+
+        /* because the 'id' can come from object->id, and
+           free_object_to_load() frees it, which makes 'id' invalid */
+        tmp_id = g_strdup (id);
 
         for (l = panel_objects_loading; l; l = l->next) {
                 object = l->data;
-                if (g_strcmp0 (object->id, id) == 0)
+                if (g_strcmp0 (object->id, tmp_id) == 0)
                         break;
         }
         if (l != NULL) {
@@ -122,7 +127,7 @@ panel_object_loader_stop_loading (const char *id)
 
         for (l = panel_objects_to_load; l; l = l->next) {
                 object = l->data;
-                if (g_strcmp0 (object->id, id) == 0)
+                if (g_strcmp0 (object->id, tmp_id) == 0)
                         break;
         }
         if (l != NULL) {
@@ -130,6 +135,8 @@ panel_object_loader_stop_loading (const char *id)
                 free_object_to_load (object);
         }
 
+        g_free (tmp_id);
+
         if (panel_objects_loading == NULL && panel_objects_to_load == NULL)
                 panel_object_loader_queue_initial_unhide_toplevels (NULL);
 }