GNOME.org
 

[evolution/gnome-3-22] Fix possible crash (use-after-free) under mail_send_receive()

commit 090d31a1f951407a73c34b24a3a7931c65d96ed7
Author: Milan Crha <mcrha redhat com>
Date:   Fri Nov 4 13:37:21 2016 +0100

    Fix possible crash (use-after-free) under mail_send_receive()
    
    There could happen that at the end of the inner call to send_receive()
    had been used the 'data' local structure pointer after it had been
    freed, which could happen when all configured accounts failed to get
    the store. It could strike sometimes when going from offline to online.

 mail/mail-send-recv.c |   22 ++++++++++------------
 1 files changed, 10 insertions(+), 12 deletions(-)
---
diff --git a/mail/mail-send-recv.c b/mail/mail-send-recv.c
index 08b0d1e..7fd32ed 100644
--- a/mail/mail-send-recv.c
+++ b/mail/mail-send-recv.c
@@ -602,7 +602,7 @@ get_keep_on_server (CamelService *service)
        return keep_on_server;
 }
 
-static struct _send_data *
+static void
 build_dialog (GtkWindow *parent,
               EMailSession *session,
               CamelFolder *outbox,
@@ -860,8 +860,6 @@ build_dialog (GtkWindow *parent,
        g_object_weak_ref ((GObject *) gd, (GWeakNotify) dialog_destroy_cb, data);
 
        data->infos = list;
-
-       return data;
 }
 
 static void
@@ -1565,7 +1563,6 @@ send_receive (GtkWindow *parent,
 {
        CamelFolder *local_outbox;
        CamelService *transport;
-       struct _send_data *data;
        GList *scan, *siter;
 
        if (send_recv_dialog != NULL) {
@@ -1581,15 +1578,17 @@ send_receive (GtkWindow *parent,
                e_mail_session_get_local_folder (
                session, E_MAIL_LOCAL_FOLDER_OUTBOX);
 
-       data = build_dialog (
-               parent, session, local_outbox, transport, allow_send);
+       build_dialog (parent, session, local_outbox, transport, allow_send);
 
        if (transport != NULL)
                g_object_unref (transport);
 
        maybe_delete_junk_or_expunge_local_store (session);
 
-       scan = g_list_copy (data->infos);
+       if (!send_data)
+               return NULL;
+
+       scan = g_list_copy (send_data->infos);
 
        for (siter = scan; siter != NULL; siter = siter->next) {
                struct _send_info *info = siter->data;
@@ -1621,8 +1620,7 @@ send_receive (GtkWindow *parent,
                                send_done, info);
                        break;
                case SEND_UPDATE:
-                       receive_update_got_store (
-                               CAMEL_STORE (info->service), info);
+                       receive_update_got_store (CAMEL_STORE (info->service), info);
                        break;
                default:
                        break;
@@ -1631,9 +1629,9 @@ send_receive (GtkWindow *parent,
 
        g_list_free (scan);
 
-       if (g_hash_table_size (data->active) == 0) {
-               if (data->gd)
-                       gtk_widget_destroy ((GtkWidget *) data->gd);
+       if (send_data && g_hash_table_size (send_data->active) == 0) {
+               if (send_data->gd)
+                       gtk_widget_destroy ((GtkWidget *) send_data->gd);
                free_send_data ();
        }
[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]