From 49ace3251b79a9e97c6e4d0bc640f9143dc71b90 Mon Sep 17 00:00:00 2001
From: ailin-nemui <ailin-nemui@users.noreply.github.com>
Date: Sun, 8 Oct 2017 19:47:50 +0200
Subject: fix uaf in chanquery module

the chanquery needs to be removed in any case if a channel rec is
destroyed, regardless of any state

Fixes GL#13
---
 src/irc/core/channels-query.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'src')

diff --git a/src/irc/core/channels-query.c b/src/irc/core/channels-query.c
index 857ebaf0..d161aec1 100644
--- a/src/irc/core/channels-query.c
+++ b/src/irc/core/channels-query.c
@@ -125,15 +125,15 @@ static void query_remove_all(IRC_CHANNEL_REC *channel)
 		rec->queries[n] = g_slist_remove(rec->queries[n], channel);
 	rec->current_queries = g_slist_remove(rec->current_queries, channel);
 
-	query_check(channel->server);
+	if (!channel->server->disconnected)
+		query_check(channel->server);
 }
 
 static void sig_channel_destroyed(IRC_CHANNEL_REC *channel)
 {
 	g_return_if_fail(channel != NULL);
 
-	if (IS_IRC_CHANNEL(channel) && !channel->server->disconnected &&
-	    !channel->synced)
+	if (IS_IRC_CHANNEL(channel))
 		query_remove_all(channel);
 }
 
-- 
cgit v1.2.3


From 2edd816e7db13b4ac0b20df9bf7fe55ee7718215 Mon Sep 17 00:00:00 2001
From: Joseph Bisch <joseph.bisch@gmail.com>
Date: Sun, 8 Oct 2017 22:02:44 -0400
Subject: Fix segfault in query_remove_all

It is possible for rec to be NULL in query_remove_all, resulting in a
segfault. So return without doing anything if rec is NULL.
---
 src/irc/core/channels-query.c | 1 +
 1 file changed, 1 insertion(+)

(limited to 'src')

diff --git a/src/irc/core/channels-query.c b/src/irc/core/channels-query.c
index d161aec1..d7dadf04 100644
--- a/src/irc/core/channels-query.c
+++ b/src/irc/core/channels-query.c
@@ -119,6 +119,7 @@ static void query_remove_all(IRC_CHANNEL_REC *channel)
 	int n;
 
 	rec = channel->server->chanqueries;
+	if (rec == NULL) return;
 
 	/* remove channel from query lists */
 	for (n = 0; n < CHANNEL_QUERIES; n++)
-- 
cgit v1.2.3