util-root: Require GjsMaybeOwned callback to reset

In the case of a closure, the GjsMaybeOwned object is embedded as part of struct Closure. The context destroy notify callback will invalidate the closure, which frees the GjsMaybeOwned object, causing a use-after-free when the callback returns and calls reset(). In practice we did not need to call reset() after the callback returns; all existing callbacks already call reset(). This patch adds a requirement that the callback *must* call reset(), and only calls it internally if there was no callback set. https://bugzilla.gnome.org/show_bug.cgi?id=781799
author: Philip Chimento <philip.chimento@gmail.com> 2017-06-11 12:59:12 -0700
committer: Philip Chimento <philip@endlessm.com> 2017-06-15 17:02:57 -0700
commit: 53e0c86ee955c0a0cca8563786ca3c312b50e1f0 (patch)
tree: 96a834abf6c65bc8673b28075891d68279ac4092 /gjs/jsapi-util-root.h
parent: d4fdcb3a51881d4ea6863b9050290e101907738b (diff)
download: gjs-53e0c86ee955c0a0cca8563786ca3c312b50e1f0.tar.gz
1 files changed, 4 insertions, 3 deletions
diff --git a/gjs/jsapi-util-root.h b/gjs/jsapi-util-root.h
index 1bdf0295..543f5373 100644
--- a/gjs/jsapi-util-root.h
+++ b/gjs/jsapi-util-root.h
@@ -170,11 +170,12 @@ private:
          * to remove it. */
         m_has_weakref = false;
 
-        /* The object is still live across this callback. */
+        /* The object is still live entering this callback. The callback
+         * must reset() this wrapper. */
         if (m_notify)
             m_notify(handle(), m_data);
-
-        reset();
+        else
+            reset();
     }
 
 public:
author	Philip Chimento <philip.chimento@gmail.com>	2017-06-11 12:59:12 -0700
committer	Philip Chimento <philip@endlessm.com>	2017-06-15 17:02:57 -0700
commit	53e0c86ee955c0a0cca8563786ca3c312b50e1f0 (patch)
tree	96a834abf6c65bc8673b28075891d68279ac4092 /gjs/jsapi-util-root.h
parent	d4fdcb3a51881d4ea6863b9050290e101907738b (diff)
download	gjs-53e0c86ee955c0a0cca8563786ca3c312b50e1f0.tar.gz