changeset
fix a heap-use-after-free in jabber_push_bytes_cb
Thu, 19 Dec 2019 10:46:28 +0100
- author
- Fabrice Bellet <fabrice@bellet.info>
- date
- Thu, 19 Dec 2019 10:46:28 +0100
- branch
- use-after-free
- changeset 40280
- da304c8c1cf9
- parent 40279
- 0682910c702a
- child 40281
- 294012def01e
- child 40286
- ca45e74fb1ee
fix a heap-use-after-free in jabber_push_bytes_cb
| libpurple/protocols/jabber/jabber.c | file | annotate | diff | comparison | revisions |
--- a/libpurple/protocols/jabber/jabber.c Sun Nov 10 16:29:55 2019 +0100 +++ b/libpurple/protocols/jabber/jabber.c Thu Dec 19 10:46:28 2019 +0100 @@ -1599,8 +1599,18 @@ jabber_bosh_connection_destroy(js->bosh); js->bosh = NULL; } else if (js->output != NULL) { - jabber_send_raw(js, "</stream:stream>", -1); - + /* We should emit the stream termination message here + * normally, but since we destroy the jabber stream just + * after, it has no way to effectively go out on the + * wire. Moreover, it causes a connection lost error in + * the output queued stream that triggers an + * heap-use-after-free error in jabber_push_bytes_cb(). + * + * This case happens when disabling the jabber account + * from the dialog box. + * + * jabber_send_raw(js, "</stream:stream>", -1); + */ if(js->inpa) { g_source_remove(js->inpa); js->inpa = 0;
