After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 719979 - g_settings_get: check validity of format string
g_settings_get: check validity of format string
Status: RESOLVED FIXED
Product: glib
Classification: Platform
Component: gsettings
unspecified
Other All
: Normal normal
: ---
Assigned To: Allison Karlitskaya (desrt)
gtkdev
Depends on:
Blocks:
 
 
Reported: 2013-12-06 15:13 UTC by Lars Karlitski
Modified: 2016-06-30 16:40 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
g_settings_get: check validity of format string (1.26 KB, patch)
2013-12-06 15:13 UTC, Lars Karlitski 		committed Details | Review
g_settings_get: only check for non-copying format string (1.16 KB, patch)
2013-12-08 16:34 UTC, Lars Karlitski 		committed Details | Review

Description Lars Karlitski 2013-12-06 15:13:37 UTC 
See patch.
Comment 1 Lars Karlitski 2013-12-06 15:13:39 UTC 
Created attachment 263673 [details] [review]
g_settings_get: check validity of format string

Allow only format strings that copy all values (i.e, don't contain '&'),
as the returned pointers might become invalid in some rare cases.

Since this is technically an API break, this patch only prints a
critical when a faulty format string is detected, but still fetches the
values.
Comment 2 Allison Karlitskaya (desrt) 2013-12-06 15:28:21 UTC 
Review of attachment 263673 [details] [review]:

I'd argue that this is technically not an API break because not copying doesn't work properly in all cases.

Looks good for now, thanks.  Let's see what it kicks up.
Comment 3 Lars Karlitski 2013-12-06 15:48:39 UTC 
Attachment 263673 [details] pushed as 396d40a - g_settings_get: check validity of format string
Comment 4 Christian Persch 2013-12-06 17:35:12 UTC 
Could you specify exactly under which circumstances e.g. a g_settings_get (s, "&s", &str) could fail to work properly?
Comment 5 Lars Karlitski 2013-12-06 17:48:11 UTC 
That depends on the backend. g_settings_get() gets a GVariant from the backend, calls g_variant_get_va(), and unrefs the variant. There's no guarantee that the variant stays alive after that.

In practice this happens can happen in the dconf backend when the backing gvdb gets replaced. If I understood Ryan on irc earlier today correctly, this sequence should do it:

  g_settings_get (settings, "some-key", "&s", &str);

  g_settings_set_value (settings, "some-other-key", bar); /* rewrites the db */
  foo = g_settings_get_value (settings, "some-other-key");  /* reinits mmap /*

  /* str is now dangling */
Comment 6 Dan Winship 2013-12-08 10:37:35 UTC 
You broke gio/tests/gsettings
Comment 7 Lars Karlitski 2013-12-08 16:34:05 UTC 
Created attachment 263745 [details] [review]
g_settings_get: only check for non-copying format string

Sorry about that. Ryan suggested on irc that checking for a '&' in the format
string is enough for now.
Comment 8 Dan Winship 2013-12-09 14:31:01 UTC 
if Ryan's ok with it then fine. (I have no opinion on how it should be fixed, I was just pointing out that "make check" was broken.)
Comment 9 Allison Karlitskaya (desrt) 2013-12-09 14:46:37 UTC 
Review of attachment 263745 [details] [review]:

Good.  Thanks.
Comment 10 Lars Karlitski 2013-12-09 14:53:00 UTC 
Pushed as 0f1579e6.
Comment 11 Debarshi Ray 2016-06-30 16:40:16 UTC 
Comment on attachment 263745 [details] [review]
g_settings_get: only check for non-copying format string

Updating the patch status - it was committed a while ago.