_g_dbus_worker_new: ref worker until after _g_dbus_worker_thread_begin_func

Otherwise, if the caller of _g_dbus_worker_new immediately unrefs the worker, calling _g_dbus_worker_thread_begin_func in the worker thread could be a use-after-free. Bug: https://bugzilla.gnome.org/show_bug.cgi?id=651268 Bug-NB: NB#271520 Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk> Signed-off-by: David Zeuthen <davidz@redhat.com>
author: Simon McVittie <simon.mcvittie@collabora.co.uk> 2011-09-12 18:44:58 +0100
committer: David Zeuthen <davidz@redhat.com> 2011-09-16 12:07:04 -0400
commit: f021522b9648d21fcfcf2bb066ede0ce3a0e9a99 (patch)
tree: feba8b9f1fc47e5e13100851f912efd0d054e768
parent: e128c045eba9508982da133c3fda9e0d7b0588ba (diff)
1 files changed, 4 insertions, 1 deletions
diff --git a/gio/gdbusprivate.c b/gio/gdbusprivate.c
index 0cfffbb05..ea902c6de 100644
--- a/gio/gdbusprivate.c
+++ b/gio/gdbusprivate.c
@@ -1606,6 +1606,8 @@ _g_dbus_worker_thread_begin_func (gpointer user_data)
 
   /* begin reading */
   _g_dbus_worker_do_read (worker);
+
+  _g_dbus_worker_unref (worker);
 }
 
 GDBusWorker *
@@ -1646,7 +1648,8 @@ _g_dbus_worker_new (GIOStream                              *stream,
   if (G_IS_SOCKET_CONNECTION (worker->stream))
     worker->socket = g_socket_connection_get_socket (G_SOCKET_CONNECTION (worker->stream));
 
-  _g_dbus_shared_thread_ref (_g_dbus_worker_thread_begin_func, worker);
+  _g_dbus_shared_thread_ref (_g_dbus_worker_thread_begin_func,
+                             _g_dbus_worker_ref (worker));
 
   return worker;
 }
author	Simon McVittie <simon.mcvittie@collabora.co.uk>	2011-09-12 18:44:58 +0100
committer	David Zeuthen <davidz@redhat.com>	2011-09-16 12:07:04 -0400
commit	f021522b9648d21fcfcf2bb066ede0ce3a0e9a99 (patch)
tree	feba8b9f1fc47e5e13100851f912efd0d054e768
parent	e128c045eba9508982da133c3fda9e0d7b0588ba (diff)