[glib/glib-2-72: 22/39] gcontenttype: Fix a potential use-after-free of xdgmime data

From: Matthias Clasen <matthiasc src gnome org>
To: commits-list gnome org
Cc:
Subject: [glib/glib-2-72: 22/39] gcontenttype: Fix a potential use-after-free of xdgmime data
Date: Tue, 20 Sep 2022 19:07:39 +0000 (UTC)


commit 938ea5141f47c69262b7370011955ba1bf1b9452
Author: Philip Withnall <pwithnall endlessos org>
Date:   Tue Jun 28 10:51:42 2022 +0100

    gcontenttype: Fix a potential use-after-free of xdgmime data
    
    While `gio_xdgmime` is unlocked, the data which `type` points to in the
    xdgmime cache might get invalidated, leaving `type` as a dangling
    pointer. That would not bode well for the `g_strdup (type)` call to
    insert a new entry into the `type_comment_cache` once `gio_xdgmime` is
    re-acquired.
    
    This was spotted using static analysis, and the symptoms have not
    knowingly been seen in the wild.
    
    Signed-off-by: Philip Withnall <pwithnall endlessos org>
    
    Coverity CID: #1474702
    
    (cherry-picked from commit 45d4c525)

 gio/gcontenttype.c | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)
---
diff --git a/gio/gcontenttype.c b/gio/gcontenttype.c
index 3c9522bc69..1e4f19b639 100644
--- a/gio/gcontenttype.c
+++ b/gio/gcontenttype.c
@@ -483,6 +483,7 @@ gchar *
 g_content_type_get_description (const gchar *type)
 {
   static GHashTable *type_comment_cache = NULL;
+  gchar *type_copy = NULL;
   gchar *comment;
 
   g_return_val_if_fail (type != NULL, NULL);
@@ -497,16 +498,21 @@ g_content_type_get_description (const gchar *type)
 
   comment = g_hash_table_lookup (type_comment_cache, type);
   comment = g_strdup (comment);
-  G_UNLOCK (gio_xdgmime);
 
   if (comment != NULL)
-    return comment;
+    {
+      G_UNLOCK (gio_xdgmime);
+      return comment;
+    }
 
-  comment = load_comment_for_mime (type);
+  type_copy = g_strdup (type);
 
+  G_UNLOCK (gio_xdgmime);
+  comment = load_comment_for_mime (type_copy);
   G_LOCK (gio_xdgmime);
+
   g_hash_table_insert (type_comment_cache,
-                       g_strdup (type),
+                       g_steal_pointer (&type_copy),
                        g_strdup (comment));
   G_UNLOCK (gio_xdgmime);

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]