[at-spi2-core/gnome-3-34] Fix use after free when an event listener is destroyed

[Mike Gorse <mgorse src gnome org>]

commit b3a9168eea65a6550d58002984668cdb1a8619ae
Author: Mike Gorse <mgorse suse com>
Date:   Tue Jun 16 15:17:39 2020 -0500

    Fix use after free when an event listener is destroyed
    
    Properly remove event listeners from the list when they are deregistered.
    Fixes a crash that can happen when orca exits. Similar issue to
    https://gitlab.gnome.org/GNOME/at-spi2-core/issues/22

 atspi/atspi-event-listener.c | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)
---
diff --git a/atspi/atspi-event-listener.c b/atspi/atspi-event-listener.c
index 249890b..d85321c 100644
--- a/atspi/atspi-event-listener.c
+++ b/atspi/atspi-event-listener.c
@@ -815,12 +815,9 @@ atspi_event_listener_deregister_from_callback (AtspiEventListenerCB callback,
         is_superset (name, e->name) &&
         is_superset (detail, e->detail))
     {
-      gboolean need_replace;
       DBusMessage *message, *reply;
-      need_replace = (l == event_listeners);
-      l = g_list_remove (l, e);
-      if (need_replace)
-        event_listeners = l;
+      l = g_list_next (l);
+      event_listeners = g_list_remove (event_listeners, e);
       for (i = 0; i < matchrule_array->len; i++)
       {
        char *matchrule = g_ptr_array_index (matchrule_array, i);
@@ -839,7 +836,8 @@ atspi_event_listener_deregister_from_callback (AtspiEventListenerCB callback,
 
       listener_entry_free (e);
     }
-    else l = g_list_next (l);
+    else
+      l = g_list_next (l);
   }
   g_free (category);
   g_free (name);