GNOME Bugzilla – Bug 795147
Null pointer dereference in g_markup_parse_context_end_parse()
Last modified: 2018-05-24 20:24:34 UTC
Created attachment 370763 [details] simple test case to reproduce the bug Function g_markup_parse_context_end_parse() dosen't call current_element() function carefully. and can cause null pointer dereference error while parsing an malformed input. The definition of function current_element() is as below: static inline const gchar* current_element (GMarkupParseContext *context) { return context->tag_stack->data; // context->tag_stack may be NULL; } This bug resides in gmarkup.c ,near line 1837, in case "STATE_AFTER_CLOSE_TAG_NAME": 1834 case STATE_AFTER_CLOSE_TAG_NAME: 1835 set_error (context, error, G_MARKUP_ERROR_PARSE, 1836 _("Document ended unexpectedly inside the close tag for " 1837 "element '%s'"), current_element (context)); 1838 break; here set_error is called and use the return value of "current_element (context)" as it's parameter, without checking whether "context->tag_stack" is NULL or not. Parsing invalid data may lead to null pointer dereference. I think this bug may exits in other place where current_element() is not carefully called, a good way to fix it is to add an assertion in current_element(). The attachment is a simple test case to reproduce it. credit: ADLab of Venustech
-- GitLab Migration Automatic Message -- This bug has been migrated to GNOME's GitLab instance and has been closed from further activity. You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.gnome.org/GNOME/glib/issues/1364.