View | Details | Raw Unified | Return to bug 4840
Collapse All | Expand All

(-)a/src/grouplistdialog.c (-1 / +7 lines)
Lines 602-609 static gboolean button_press_cb(GtkCMCTree *ctree, GdkEventButton *button, Link Here
602
	list = g_slist_find_custom(subscribed, ginfo->name,
602
	list = g_slist_find_custom(subscribed, ginfo->name,
603
				   (GCompareFunc)g_ascii_strcasecmp);
603
				   (GCompareFunc)g_ascii_strcasecmp);
604
	if (list) {
604
	if (list) {
605
		/*
606
		 * Make a copy so we can g_free() it after we remove
607
		 * list from the subscribed list.  Calling g_free()
608
		 * first triggers a use-after-free Coverity issue.
609
		 */
610
		gpointer tmpdata = list->data;
605
		subscribed = g_slist_remove(subscribed, list->data);
611
		subscribed = g_slist_remove(subscribed, list->data);
606
		g_free(list->data);
612
		g_free(tmpdata);
607
		gtk_cmclist_unselect_row(GTK_CMCLIST(ctree), row, 0);
613
		gtk_cmclist_unselect_row(GTK_CMCLIST(ctree), row, 0);
608
	} else {
614
	} else {
609
		subscribed = g_slist_append(subscribed, g_strdup(ginfo->name));
615
		subscribed = g_slist_append(subscribed, g_strdup(ginfo->name));

Return to bug 4840