From aedcfcd0108814dc6b8b7377d9ef3062d7dea390 Mon Sep 17 00:00:00 2001
From: Sebastian Keller <skeller@gnome.org>
Date: Fri, 21 Feb 2020 10:14:01 +0100
Subject: [PATCH] sound-player: Fix invalid write after playback is cancelled
 early

The cancellable of a request might already be cancelled by the time
the cancelled_cb is connected resulting in finish_cb being called via
ca_context_cancel before g_cancellable_connect returns. In this case
the request that is written to has already been freed.

Fixes https://gitlab.gnome.org/GNOME/mutter/issues/1060
---
 src/core/meta-sound-player.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/core/meta-sound-player.c b/src/core/meta-sound-player.c
index 87090034e..00f110f75 100644
--- a/src/core/meta-sound-player.c
+++ b/src/core/meta-sound-player.c
@@ -140,9 +140,11 @@ play_sound (MetaPlayRequest *req,
 
   if (req->cancellable)
     {
-      req->cancel_id =
+      gulong cancel_id =
         g_cancellable_connect (req->cancellable,
                                G_CALLBACK (cancelled_cb), req, NULL);
+      if (cancel_id)
+        req->cancel_id = cancel_id;
     }
 }