[gjs: 4/6] arg: Prevent null pointer access in zero-length array case

From: Cosimo Cecchi <cosimoc src gnome org>
To: commits-list gnome org
Cc:
Subject: [gjs: 4/6] arg: Prevent null pointer access in zero-length array case
Date: Fri, 2 Aug 2019 16:44:29 +0000 (UTC)

commit 8403892e778f76728e06c66173aa5fcd1c8f6883
Author: Philip Chimento <philip endlessm com>
Date:   Wed Jul 31 15:34:08 2019 -0700

    arg: Prevent null pointer access in zero-length array case
    
    gjs_array_to_explicit_array_internal() may return null for the contents
    of the array if the returned length is also zero.
    
    g_array_append_vals(), g_byte_array_append(), and memcpy() may not take
    null pointers for the source data. It looks like it was assumed that
    they would do the right thing (i.e. nothing) if the length of the source
    data was 0, but that's apparently not guaranteed. Instead, check for
    null and skip the operation if it's the case.
    
    Caught by Clang static analyzer (at least, the memcpy() case was.)

 gi/arg.cpp | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)
---
diff --git a/gi/arg.cpp b/gi/arg.cpp
index d8e61946..1b2be888 100644
--- a/gi/arg.cpp
+++ b/gi/arg.cpp
@@ -1970,7 +1970,8 @@ _Pragma("GCC diagnostic pop")
             if (!array)
                 wrong = true;
             else {
-                g_array_append_vals(array, data, length);
+                if (data)
+                    g_array_append_vals(array, data, length);
                 arg->v_pointer = array;
             }
 
@@ -1978,7 +1979,9 @@ _Pragma("GCC diagnostic pop")
         } else if (array_type == GI_ARRAY_TYPE_BYTE_ARRAY) {
             GByteArray *byte_array = g_byte_array_sized_new(length);
 
-            g_byte_array_append(byte_array, (const guint8 *) data, length);
+            if (data)
+                g_byte_array_append(byte_array,
+                                    static_cast<const uint8_t*>(data), length);
             arg->v_pointer = byte_array;
 
             g_free(data);
@@ -1986,7 +1989,8 @@ _Pragma("GCC diagnostic pop")
             GPtrArray *array = g_ptr_array_sized_new(length);
 
             g_ptr_array_set_size(array, length);
-            memcpy(array->pdata, data, sizeof(gpointer) * length);
+            if (data)
+                memcpy(array->pdata, data, sizeof(void*) * length);
             arg->v_pointer = array;
 
             g_free(data);

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]