[buoh/fix-crashes-and-criticals: 1/2] Fix write after free in loader

From: Jan Tojnar <jtojnar src gnome org>
To: commits-list gnome org
Cc:
Subject: [buoh/fix-crashes-and-criticals: 1/2] Fix write after free in loader
Date: Fri, 1 Jan 2021 18:32:08 +0000 (UTC)


commit da7003fc9f07999cd9237aef7c4acbfd21e68dd6
Author: Jan Tojnar <jtojnar gmail com>
Date:   Fri Jan 1 02:51:42 2021 +0100

    Fix write after free in loader
    
    BuohComicLoader holds a reference to BuohComicLoaderJob but when the job is
    cancelled or fails, the job object passed to the comic_loader thread gets unref’d,
    making the reference in BuohComicLoader invalid.
    
    When next job comic being loaded attempted to mark the previous job cancelled
    (in case it is still running), it would write into an already freed memory,
    frequently causing a crash.
    
    Let’s increase the reference count when passing the job to the thread to avoid that.
    
    Fixes: https://gitlab.gnome.org/GNOME/buoh/issues/8

 src/buoh-comic-loader.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
---
diff --git a/src/buoh-comic-loader.c b/src/buoh-comic-loader.c
index d37e2eb..1cebdb1 100644
--- a/src/buoh-comic-loader.c
+++ b/src/buoh-comic-loader.c
@@ -316,7 +316,7 @@ buoh_comic_loader_load_comic (BuohComicLoader *loader,
 
         g_thread_new ("comic_loader",
                       (GThreadFunc) buoh_comic_loader_job_run,
-                      priv->job);
+                      g_object_ref (priv->job));
 }
 
 void

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]