GNOME Bugzilla – Bug 644428
Crash in failure section of g_markup_collect_attributes()
Last modified: 2011-03-11 04:29:04 UTC
I just had g_markup_collect_attributes() crash on me after it tried to issue an error about a missing attribute. I'm passing NULL pointers for all but a few of the attributes, and looking at the GLib code I think I see what's wrong. failure: /* replay the above to free allocations */ type = first_type; attr = first_attr; va_start (ap, first_attr); while (type != G_MARKUP_COLLECT_INVALID) { gpointer ptr; ptr = va_arg (ap, gpointer); if (ptr == NULL) continue; switch (type & (G_MARKUP_COLLECT_OPTIONAL - 1)) { case G_MARKUP_COLLECT_STRDUP: if (written) g_free (*(char **) ptr); case G_MARKUP_COLLECT_STRING: *(char **) ptr = NULL; break; case G_MARKUP_COLLECT_BOOLEAN: *(gboolean *) ptr = FALSE; break; case G_MARKUP_COLLECT_TRISTATE: *(gboolean *) ptr = -1; break; } type = va_arg (ap, GMarkupCollectType); attr = va_arg (ap, const char *); if (written) written--; } va_end (ap); g_markup_collect_attributes() takes a variable length argument list of triplets: type, attr, ptr. When ptr is NULL, the logic continues the loop without reading the next type and attr arguments.
Created attachment 183090 [details] [review] Proposed patch Basically I'm just moving the whole switch statement inside a "if (ptr != NULL)" statement, so that for NULL pointers it just falls through to the end of the loop where the next type and attr arguments are picked up.
Created attachment 183094 [details] Reproducer program Here's a reproducer. Expected behavior is to emit a CRITICAL warning. Not crash.
Good catch; fixed.