Bug 80814 – bogus memory access in g_boxed_copy()

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 80814 - bogus memory access in g_boxed_copy()


Summary:	bogus memory access in g_boxed_copy()


Status:	RESOLVED FIXED

Product:	glib
Classification:	Platform
Component:	gobject
Version:	2.0.x
Hardware:	Other All

Importance:	Normal normal
Target Milestone:	---
Assigned To:	gtkdev
QA Contact:	gtkdev

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2002-05-04 22:07 UTC by Daniel Elstner
Modified:	2004-12-22 21:47 UTC

See Also:
GNOME target:	---
GNOME version:	2.0

Attachments
Fix for out-of-bounds array access in g_boxed_copy(). (1.24 KB, patch) 2002-05-05 01:48 UTC, Daniel Elstner	none	Details \| Review

Description Daniel Elstner 2002-05-04 22:07:45 UTC

From gobject/gboxed.c, line 377:

      /* double check and grouse if things went wrong */
      if (dest_value.data[1].v_ulong ||
	  dest_value.data[2].v_ulong)
	g_warning ("the copy_value() implementation of type `%s' seems to make use
of reserved GValue fields",
		   g_type_name (boxed_type));


dest_value.data[2] is out of bounds, since GValue::data[] has only 2
elements.  This code path is only triggered when deriving directly from
G_TYPE_BOXED, without using g_boxed_type_register_static().

Comment 1 Daniel Elstner 2002-05-05 01:48:21 UTC

Created attachment 8179 [details] [review]
Fix for out-of-bounds array access in g_boxed_copy().

Comment 2 Owen Taylor 2002-05-06 20:04:43 UTC

Mon May  6 16:03:20 2002  Owen Taylor  <otaylor@redhat.com>

	* gboxed.c (g_boxed_copy): Remove check	on data[2]
	that no	longer	exists.	(#80814,	Daniel
Elstner)