From 4b2fe2476292db84adc075d4fece8e57177a0e14 Mon Sep 17 00:00:00 2001
From: Thomas Holder <thomas@thomas-holder.de>
Date: Sun, 27 Oct 2019 07:35:34 +0100
Subject: fix heap-use-after-free on "Unlink Clone"

Reverts part of 6e5d89bf9595
---
 src/object/sp-use.cpp | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'src/object/sp-use.cpp')

diff --git a/src/object/sp-use.cpp b/src/object/sp-use.cpp
index c451b4e91..6fb8a206c 100644
--- a/src/object/sp-use.cpp
+++ b/src/object/sp-use.cpp
@@ -699,6 +699,7 @@ SPItem *SPUse::unlink() {
     unlinked->updateRepr();
 
     // Hold onto our SPObject and repr for now.
+    sp_object_ref(this);
     Inkscape::GC::anchor(repr);
 
     // Remove ourselves, not propagating delete events to avoid a
@@ -718,6 +719,7 @@ SPItem *SPUse::unlink() {
 
     // Establish the succession and let go of our object.
     this->setSuccessor(unlinked);
+    sp_object_unref(this);
 
     SPItem *item = dynamic_cast<SPItem *>(unlinked);
     g_assert(item != nullptr);
-- 
cgit v1.2.3