GNOME Bugzilla – Bug 616432
Crash in gschema-compile
Last modified: 2010-04-22 09:39:59 UTC
Created attachment 159280 [details] Example XML file that might crash gschema-compile gschema-compile was with a realloc on an invalid pointer in GString. I'll attach the XML file I used. Note that minor changes would get around the crash for me, so this file may not cause a crash for you. It comes down to when memory happens to be overwritten. I'm also attaching what I think is the correct fix. The end_element function frees state->string, then the text function attempts to access it. I think start_element is supposed to create the GString, but it doesn't for "min" and "max" element. My patch sets state->string to NULL whenever it's freed, as a precaution, and creates a new GString for min and max.
Created attachment 159281 [details] [review] Proposed patch
Thanks, I've pushed a fix
Thanks Matthias. The fix you pushed prevents the invalid memory access, but since it doesn't create a GString for min and max elements, I get "text may not appear inside <min>".
The patch in bug 616102 will fix that. (It probably now doesn't apply cleanly anymore...:/)