From 523fe32b65f1561352986f186f3cd0eb4698a8b3 Mon Sep 17 00:00:00 2001
From: Milan Crha <mcrha@redhat.com>
Date: Thu, 19 Mar 2020 09:24:52 +0100
Subject: secret-file-backend: Fix use-after-free in flatpak

The on_portal_retrieve_secret() can connect a GCancellable, but it
doesn't disconnect from it (only when the cancellable is cancelled),
which means when the cancellable is cancelled later, when the GTask
is gone, the callback is called with already freed data.
---
 libsecret/secret-file-backend.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/libsecret/secret-file-backend.c b/libsecret/secret-file-backend.c
index e69c319..649ef0d 100644
--- a/libsecret/secret-file-backend.c
+++ b/libsecret/secret-file-backend.c
@@ -231,6 +231,11 @@ on_portal_response (GDBusConnection *connection,
 	InitClosure *init = g_task_get_task_data (task);
 	guint32 response;
 
+	if (init->cancellable_signal_id) {
+		g_cancellable_disconnect (g_task_get_cancellable (task), init->cancellable_signal_id);
+		init->cancellable_signal_id = 0;
+	}
+
 	g_dbus_connection_signal_unsubscribe (connection,
 					      init->portal_signal_id);
 
@@ -303,6 +308,7 @@ on_portal_cancel (GCancellable *cancellable,
 				task);
 
 	g_cancellable_disconnect (cancellable, init->cancellable_signal_id);
+	init->cancellable_signal_id = 0;
 }
 
 static void
-- 
cgit v1.2.1