From ba0f90c16fa502e81e74db7d2834c27e239b45ba Mon Sep 17 00:00:00 2001
From: Simon McVittie <simon.mcvittie@collabora.co.uk>
Date: Thu, 13 Jun 2013 13:46:33 +0100
Subject: [PATCH 1/3] Add release name for 1.6.12

---
 NEWS | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/NEWS b/NEWS
index 46cf8b32..4fec6324 100644
--- a/NEWS
+++ b/NEWS
@@ -6,6 +6,8 @@ D-Bus 1.6.14 (UNRELEASED)
 D-Bus 1.6.12 (2013-06-13)
 ==
 
+The “does this unit have a soul?” release.
+
 Fixes:
 
 • CVE-2013-2168: Fix misuse of va_list that could be used as a denial

From 8eb29fda102be3bd27b04a0b2d7f53a4dfb01f62 Mon Sep 17 00:00:00 2001
From: Chengwei Yang <chengwei.yang@intel.com>
Date: Thu, 20 Jun 2013 17:24:04 +0800
Subject: [PATCH 2/3] DBusString: fix may crash if try to free an uninitialized
 str

If the str will be freed hasn't been initialized by _dbus_string_init
correctly, _dbus_string_free may crash due to trying to free an
undefined memory.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=65959
Signed-off-by: Chengwei Yang <chengwei.yang@intel.com>
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
---
 dbus/dbus-string.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/dbus/dbus-string.c b/dbus/dbus-string.c
index e3766aad..52eb0f23 100644
--- a/dbus/dbus-string.c
+++ b/dbus/dbus-string.c
@@ -246,6 +246,14 @@ _dbus_string_free (DBusString *str)
   
   if (real->constant)
     return;
+
+  /* so it's safe if @p str returned by a failed
+   * _dbus_string_init call
+   * Bug: https://bugs.freedesktop.org/show_bug.cgi?id=65959
+   */
+  if (real->str == NULL)
+    return;
+
   dbus_free (real->str - real->align_offset);
 
   real->invalid = TRUE;

From 931c9663b714d1db0e0dfcf13034e0b83450f3cf Mon Sep 17 00:00:00 2001
From: Simon McVittie <simon.mcvittie@collabora.co.uk>
Date: Thu, 20 Jun 2013 13:20:08 +0100
Subject: [PATCH 3/3] NEWS for #65959

---
 NEWS | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/NEWS b/NEWS
index 4fec6324..96d4b0c2 100644
--- a/NEWS
+++ b/NEWS
@@ -1,7 +1,10 @@
 D-Bus 1.6.14 (UNRELEASED)
 ==
 
-...
+Fixes:
+
+• If malloc() returns NULL in _dbus_string_init() or similar, don't free
+  an invalid pointer if the string is later freed (fd.o #65959, Chengwei Yang)
 
 D-Bus 1.6.12 (2013-06-13)
 ==