After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 644428 - Crash in failure section of g_markup_collect_attributes()
Crash in failure section of g_markup_collect_attributes()
Status: RESOLVED FIXED
Product: glib
Classification: Platform
Component: general
2.28.x
Other Linux
: Normal normal
: ---
Assigned To: gtkdev
gtkdev
Depends on:
Blocks:
 
 
Reported: 2011-03-10 19:27 UTC by Matthew Barnes
Modified: 2011-03-11 04:29 UTC
See Also:
GNOME target: ---
GNOME version: ---


Attachments
Proposed patch (1.42 KB, patch)
2011-03-10 19:41 UTC, Matthew Barnes
none Details | Review
Reproducer program (898 bytes, text/plain)
2011-03-10 21:56 UTC, Matthew Barnes
  Details

Description Matthew Barnes 2011-03-10 19:27:14 UTC
I just had g_markup_collect_attributes() crash on me after it tried to issue an error about a missing attribute.  I'm passing NULL pointers for all but a few of the attributes, and looking at the GLib code I think I see what's wrong.

failure:
  /* replay the above to free allocations */
  type = first_type;
  attr = first_attr;

  va_start (ap, first_attr);
  while (type != G_MARKUP_COLLECT_INVALID)
    {
      gpointer ptr;

      ptr = va_arg (ap, gpointer);

      if (ptr == NULL)
        continue;

      switch (type & (G_MARKUP_COLLECT_OPTIONAL - 1))
        {
        case G_MARKUP_COLLECT_STRDUP:
          if (written)
            g_free (*(char **) ptr);

        case G_MARKUP_COLLECT_STRING:
          *(char **) ptr = NULL;
          break;

        case G_MARKUP_COLLECT_BOOLEAN:
          *(gboolean *) ptr = FALSE;
          break;

        case G_MARKUP_COLLECT_TRISTATE:
          *(gboolean *) ptr = -1;
          break;
        }

      type = va_arg (ap, GMarkupCollectType);
      attr = va_arg (ap, const char *);

      if (written)
        written--;
    }
  va_end (ap);

g_markup_collect_attributes() takes a variable length argument list of triplets: type, attr, ptr.  When ptr is NULL, the logic continues the loop without reading the next type and attr arguments.
Comment 1 Matthew Barnes 2011-03-10 19:41:56 UTC
Created attachment 183090 [details] [review]
Proposed patch

Basically I'm just moving the whole switch statement inside a "if (ptr != NULL)" statement, so that for NULL pointers it just falls through to the end of the loop where the next type and attr arguments are picked up.
Comment 2 Matthew Barnes 2011-03-10 21:56:09 UTC
Created attachment 183094 [details]
Reproducer program

Here's a reproducer.  Expected behavior is to emit a CRITICAL warning.  Not crash.
Comment 3 Matthias Clasen 2011-03-11 04:29:04 UTC
Good catch; fixed.