[gjs] function: Release out args before freeing caller allocated structs

[Florian Müllner <fmuellner src gnome org>]

commit eb13ed471cbc5885824185ed7ffe375ce78ded22
Author: Florian Müllner <fmuellner gnome org>
Date:   Mon Jul 4 19:50:40 2016 +0200

    function: Release out args before freeing caller allocated structs
    
    If an out arg is caller allocated, we need to free the memory we
    allocated for it (for instance a GValue), but also release any
    memory allocated for struct members (for instance a string held by
    a GValue). We currently do these operations in this order, so the
    pointer used for releasing the argument points to memory invalidated
    by the earlier free call, which is likely to crash. To fix, reverse
    the order of the operations to first release the argument and then
    free the caller-allocated struct.
    
    https://bugzilla.gnome.org/show_bug.cgi?id=768413

 gi/function.cpp |   34 +++++++++++++++++-----------------
 1 files changed, 17 insertions(+), 17 deletions(-)
---
diff --git a/gi/function.cpp b/gi/function.cpp
index f38b64b..fd9929c 100644
--- a/gi/function.cpp
+++ b/gi/function.cpp
@@ -1201,6 +1201,23 @@ release:
             if (arg_failed)
                 postinvoke_release_failed = TRUE;
 
+            /* Free GArgument, the jsval should have ref'd or copied it */
+            transfer = g_arg_info_get_ownership_transfer(&arg_info);
+            if (!arg_failed) {
+                if (array_length_pos >= 0) {
+                    gjs_g_argument_release_out_array(context,
+                                                     transfer,
+                                                     &arg_type_info,
+                                                     JSVAL_TO_INT(array_length),
+                                                     arg);
+                } else {
+                    gjs_g_argument_release(context,
+                                           transfer,
+                                           &arg_type_info,
+                                           arg);
+                }
+            }
+
             /* For caller-allocates, what happens here is we allocate
              * a structure above, then gjs_value_from_g_argument calls
              * g_boxed_copy on it, and takes ownership of that.  So
@@ -1232,23 +1249,6 @@ release:
                 g_base_info_unref((GIBaseInfo*)interface_info);
             }
 
-            /* Free GArgument, the jsval should have ref'd or copied it */
-            transfer = g_arg_info_get_ownership_transfer(&arg_info);
-            if (!arg_failed) {
-                if (array_length_pos >= 0) {
-                    gjs_g_argument_release_out_array(context,
-                                                     transfer,
-                                                     &arg_type_info,
-                                                     JSVAL_TO_INT(array_length),
-                                                     arg);
-                } else {
-                    gjs_g_argument_release(context,
-                                           transfer,
-                                           &arg_type_info,
-                                           arg);
-                }
-            }
-
             ++next_rval;
         }
     }