From 9c3ca0aa8bef3cec970ae53bee545052b8cb0dee Mon Sep 17 00:00:00 2001
From: Debarshi Ray <debarshir@gnome.org>
Date: Thu, 14 Jun 2018 15:34:27 +0200
Subject: [PATCH] Backport patch to fix possible invalid pointer in dbus
 callback

... in the FD.o notification backend

https://bugzilla.redhat.com/show_bug.cgi?id=1584916
https://gitlab.gnome.org/GNOME/glib/merge_requests/90
https://gitlab.gnome.org/GNOME/glib/merge_requests/102
---
 ...gen.patch => glib2-fix-gdbus-codegen.patch |   0
 ...backend-fix-possible-invalid-pointer.patch | 136 ++++++++++++++++++
 glib2.spec                                    |  15 +-
 3 files changed, 148 insertions(+), 3 deletions(-)
 rename 00-fix-gdbus-codegen.patch => glib2-fix-gdbus-codegen.patch (100%)
 create mode 100644 glib2-gfdonotificationbackend-fix-possible-invalid-pointer.patch

diff --git a/00-fix-gdbus-codegen.patch b/glib2-fix-gdbus-codegen.patch
similarity index 100%
rename from 00-fix-gdbus-codegen.patch
rename to glib2-fix-gdbus-codegen.patch
diff --git a/glib2-gfdonotificationbackend-fix-possible-invalid-pointer.patch b/glib2-gfdonotificationbackend-fix-possible-invalid-pointer.patch
new file mode 100644
index 0000000..61a7f2d
--- /dev/null
+++ b/glib2-gfdonotificationbackend-fix-possible-invalid-pointer.patch
@@ -0,0 +1,136 @@
+From d26b66e225d3f0d308b2ec1a862a505709076bf7 Mon Sep 17 00:00:00 2001
+From: Arnaud Rebillout <elboulangero@gmail.com>
+Date: Sun, 10 Jun 2018 20:56:12 +0700
+Subject: [PATCH] gfdonotificationbackend: Fix possible invalid pointer in dbus
+ callback
+
+The way things were before: a FreedesktopNotification struct is
+allocated before the dbus call, and this same struct is possibly re-used
+for other dbus calls. If the server becomes unavailable, the callback
+will be invoked after the call times out, which leaves a long time where
+other dbus calls can happen, re-using the same FreedesktopNotification
+as user data. When the first call times out, the callback is invoked,
+and the user data is freed. Subsequent calls that used the same user
+data will time out later on, and try to free a pointer that was already
+freed, hence segfaults.
+
+This bug can be reproduced in Cinnamon 3.6.7, as mentioned in:
+<https://github.com/linuxmint/Cinnamon/issues/7491>
+
+This commit fixes that by always allocating a new
+FreedesktopNotification before invoking dbus_call(), ensuring that the
+callback always have a valid user data.
+
+Signed-off-by: Arnaud Rebillout <elboulangero@gmail.com>
+---
+ gio/gfdonotificationbackend.c | 55 ++++++++++++++++++++++++++-----------------
+ 1 file changed, 34 insertions(+), 21 deletions(-)
+
+diff --git a/gio/gfdonotificationbackend.c b/gio/gfdonotificationbackend.c
+index a0d4814335be..ab5329497d1e 100644
+--- a/gio/gfdonotificationbackend.c
++++ b/gio/gfdonotificationbackend.c
+@@ -62,7 +62,6 @@ typedef struct
+   GVariant *default_action_target;
+ } FreedesktopNotification;
+ 
+-
+ static void
+ freedesktop_notification_free (gpointer data)
+ {
+@@ -76,6 +75,24 @@ freedesktop_notification_free (gpointer data)
+   g_slice_free (FreedesktopNotification, n);
+ }
+ 
++static FreedesktopNotification *
++freedesktop_notification_new (GFdoNotificationBackend *backend,
++                              const gchar             *id,
++                              GNotification           *notification)
++{
++  FreedesktopNotification *n;
++
++  n = g_slice_new0 (FreedesktopNotification);
++  n->backend = backend;
++  n->id = g_strdup (id);
++  n->notify_id = 0;
++  g_notification_get_default_action (notification,
++                                     &n->default_action,
++                                     &n->default_action_target);
++
++  return n;
++}
++
+ static FreedesktopNotification *
+ g_fdo_notification_backend_find_notification (GFdoNotificationBackend *backend,
+                                               const gchar             *id)
+@@ -319,8 +336,19 @@ notification_sent (GObject      *source_object,
+   val = g_dbus_connection_call_finish (G_DBUS_CONNECTION (source_object), result, &error);
+   if (val)
+     {
++      GFdoNotificationBackend *backend = n->backend;
++      FreedesktopNotification *match;
++
+       g_variant_get (val, "(u)", &n->notify_id);
+       g_variant_unref (val);
++
++      match = g_fdo_notification_backend_find_notification_by_notify_id (backend, n->notify_id);
++      if (match != NULL)
++        {
++          backend->notifications = g_slist_remove (backend->notifications, match);
++          freedesktop_notification_free (match);
++        }
++      backend->notifications = g_slist_prepend (backend->notifications, n);
+     }
+   else
+     {
+@@ -331,9 +359,7 @@ notification_sent (GObject      *source_object,
+           warning_printed = TRUE;
+         }
+ 
+-      n->backend->notifications = g_slist_remove (n->backend->notifications, n);
+       freedesktop_notification_free (n);
+-
+       g_error_free (error);
+     }
+ }
+@@ -378,7 +404,7 @@ g_fdo_notification_backend_send_notification (GNotificationBackend *backend,
+                                               GNotification        *notification)
+ {
+   GFdoNotificationBackend *self = G_FDO_NOTIFICATION_BACKEND (backend);
+-  FreedesktopNotification *n;
++  FreedesktopNotification *n, *tmp;
+ 
+   if (self->notify_subscription == 0)
+     {
+@@ -391,24 +417,11 @@ g_fdo_notification_backend_send_notification (GNotificationBackend *backend,
+                                             notify_signal, backend, NULL);
+     }
+ 
+-  n = g_fdo_notification_backend_find_notification (self, id);
+-  if (n == NULL)
+-    {
+-      n = g_slice_new0 (FreedesktopNotification);
+-      n->backend = self;
+-      n->id = g_strdup (id);
+-      n->notify_id = 0;
+-
+-      n->backend->notifications = g_slist_prepend (n->backend->notifications, n);
+-    }
+-  else
+-    {
+-      /* Only clear default action. All other fields are still valid */
+-      g_clear_pointer (&n->default_action, g_free);
+-      g_clear_pointer (&n->default_action_target, g_variant_unref);
+-    }
++  n = freedesktop_notification_new (self, id, notification);
+ 
+-  g_notification_get_default_action (notification, &n->default_action, &n->default_action_target);
++  tmp = g_fdo_notification_backend_find_notification (self, id);
++  if (tmp)
++    n->notify_id = tmp->notify_id;
+ 
+   call_notify (backend->dbus_connection, backend->application, n->notify_id, notification, notification_sent, n);
+ }
+-- 
+2.14.4
+
diff --git a/glib2.spec b/glib2.spec
index 7e55ea5..e807228 100644
--- a/glib2.spec
+++ b/glib2.spec
@@ -5,7 +5,7 @@
 
 Name: glib2
 Version: 2.56.1
-Release: 3%{?dist}
+Release: 4%{?dist}
 Summary: A library of handy utility functions
 
 License: LGPLv2+
@@ -14,7 +14,12 @@ Source0: http://download.gnome.org/sources/glib/2.56/glib-%{version}.tar.xz
 
 # Include upstream patch to fix gdbus-codegen when used with meson 0.46
 # https://gitlab.gnome.org/GNOME/glib/commit/cd1f82d8fc741a2203582c12cc21b4dacf7e1872
-Patch0: 00-fix-gdbus-codegen.patch
+Patch0: glib2-fix-gdbus-codegen.patch
+
+# https://gitlab.gnome.org/GNOME/glib/merge_requests/90
+# https://gitlab.gnome.org/GNOME/glib/merge_requests/102
+# https://bugzilla.redhat.com/show_bug.cgi?id=1584916
+Patch1: glib2-gfdonotificationbackend-fix-possible-invalid-pointer.patch
 
 BuildRequires: chrpath
 BuildRequires: gettext
@@ -219,8 +224,12 @@ glib-compile-schemas %{_datadir}/glib-2.0/schemas &> /dev/null || :
 %{_datadir}/installed-tests
 
 %changelog
+* Thu Jun 14 2018 Debarshi Ray <rishi@fedoraproject.org> - 2.56.1-4
+- Backport patch to fix possible invalid pointer in dbus callback in the FD.o
+  notification backend (RH #1584916)
+
 * Sun May 27 2018 Kalev Lember <klember@redhat.com> - 2.56.1-3
-- Fix multilib -devel installs (#1581067)
+- Fix multilib -devel installs (RH #1581067)
 
 * Sun May 13 2018 Fabio Valentini <decathorpe@gmail.com> - 2.56.1-2
 - Include upstream patch to fix gdbus-codegen with meson 0.46.