[glib: 1/3] gdbus: Fix a potential use-after-free on connection close. Fixes #1686

[Christoph Reiter <creiter src gnome org>]

commit 067992f8dedd11651e624921129cd0ffb099180f
Author: Christoph Reiter <creiter src gnome org>
Date:   Thu Feb 14 04:16:18 2019 +0100

    gdbus: Fix a potential use-after-free on connection close. Fixes #1686
    
    512e9b3b34d added a call to schedule_pending_close() in the read
    callback after the reference to the worker is already gone. In case this was
    the last reference to the worker this resulted in a use-after-free.
    
    6f3d57d2ee2 made this more likely to happen because on connection close
    the worker cancel action is now async while the reference to the worker
    gets dropped right away.
    
    Move the call to schedule_pending_close() before the unref.
    
    Fixes #1686

 gio/gdbusprivate.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
---
diff --git a/gio/gdbusprivate.c b/gio/gdbusprivate.c
index c2a04ae12..1e8e1d64b 100644
--- a/gio/gdbusprivate.c
+++ b/gio/gdbusprivate.c
@@ -809,11 +809,11 @@ _g_dbus_worker_do_read_cb (GInputStream  *input_stream,
  out:
   g_mutex_unlock (&worker->read_lock);
 
-  /* gives up the reference acquired when calling g_input_stream_read_async() */
-  _g_dbus_worker_unref (worker);
-
   /* check if there is any pending close */
   schedule_pending_close (worker);
+
+  /* gives up the reference acquired when calling g_input_stream_read_async() */
+  _g_dbus_worker_unref (worker);
 }
 
 /* called in private thread shared by all GDBusConnection instances (with read-lock held) */