From 62818b9407e79c2931f03d74bff6af39bbda2a34 Mon Sep 17 00:00:00 2001
From: Vasily Khoruzhick <anarsoul@gmail.com>
Date: Wed, 4 Jan 2023 23:35:33 -0800
Subject: [PATCH] fpcmoc: fix use-after free in multiple callbacks

Drop if statement that retrieves internal ssm->error.
"error" is already a copied ssm->error, so it makes no sense to return
internal copy which will be freed when ssm is marked as done.

Fixes #526
---
 libfprint/drivers/fpcmoc/fpc.c | 22 +++++-----------------
 1 file changed, 5 insertions(+), 17 deletions(-)

diff --git a/libfprint/drivers/fpcmoc/fpc.c b/libfprint/drivers/fpcmoc/fpc.c
index b64cc36e..0f2b5591 100644
--- a/libfprint/drivers/fpcmoc/fpc.c
+++ b/libfprint/drivers/fpcmoc/fpc.c
@@ -1149,12 +1149,9 @@ fpc_enroll_ssm_done (FpiSsm *ssm, FpDevice *dev, GError *error)
 
   fp_info ("Enrollment complete!");
 
-  if (fpi_ssm_get_error (ssm))
-    error = fpi_ssm_get_error (ssm);
-
   if (error)
     {
-      fpi_device_enroll_complete (dev, NULL, error);
+      fpi_device_enroll_complete (dev, NULL, g_steal_pointer (&error));
       self->task_ssm = NULL;
       return;
     }
@@ -1336,9 +1333,6 @@ fpc_verify_ssm_done (FpiSsm *ssm, FpDevice *dev, GError *error)
 
   fp_info ("Verify_identify complete!");
 
-  if (fpi_ssm_get_error (ssm))
-    error = fpi_ssm_get_error (ssm);
-
   if (error && error->domain == FP_DEVICE_RETRY)
     {
       if (fpi_device_get_current_action (dev) == FPI_DEVICE_ACTION_VERIFY)
@@ -1348,9 +1342,9 @@ fpc_verify_ssm_done (FpiSsm *ssm, FpDevice *dev, GError *error)
     }
 
   if (fpi_device_get_current_action (dev) == FPI_DEVICE_ACTION_VERIFY)
-    fpi_device_verify_complete (dev, error);
+    fpi_device_verify_complete (dev, g_steal_pointer (&error));
   else
-    fpi_device_identify_complete (dev, error);
+    fpi_device_identify_complete (dev, g_steal_pointer (&error));
 
   self->task_ssm = NULL;
 }
@@ -1448,10 +1442,7 @@ fpc_clear_ssm_done (FpiSsm *ssm, FpDevice *dev, GError *error)
 
   fp_info ("Clear Storage complete!");
 
-  if (fpi_ssm_get_error (ssm))
-    error = fpi_ssm_get_error (ssm);
-
-  fpi_device_clear_storage_complete (dev, error);
+  fpi_device_clear_storage_complete (dev, g_steal_pointer (&error));
   self->task_ssm = NULL;
 }
 
@@ -1555,10 +1546,7 @@ fpc_init_ssm_done (FpiSsm *ssm, FpDevice *dev, GError *error)
 {
   FpiDeviceFpcMoc *self = FPI_DEVICE_FPCMOC (dev);
 
-  if (fpi_ssm_get_error (ssm))
-    error = fpi_ssm_get_error (ssm);
-
-  fpi_device_open_complete (dev, error);
+  fpi_device_open_complete (dev, g_steal_pointer (&error));
   self->task_ssm = NULL;
 }