[gjs] Fix crash when marshalling a GType array containing non objects

From: Giovanni Campagna <gcampagna src gnome org>
To: commits-list gnome org
Cc:
Subject: [gjs] Fix crash when marshalling a GType array containing non objects
Date: Tue, 2 Apr 2013 16:33:07 +0000 (UTC)

commit f4a5b2c9af715668e3559ff0b66a311d7e9936b2
Author: Giovanni Campagna <gcampagna src gnome org>
Date:   Tue Apr 2 18:04:13 2013 +0200

    Fix crash when marshalling a GType array containing non objects
    
    It would cast a jsval of the wrong type to object and pass NULL
    to gjs_gtype_get_actual_gtype()
    
    Tests included.
    
    https://bugzilla.gnome.org/show_bug.cgi?id=696933

 gi/arg.c                       |   16 ++++++++++------
 test/js/testEverythingBasic.js |   15 +++++++++++++++
 2 files changed, 25 insertions(+), 6 deletions(-)
---
diff --git a/gi/arg.c b/gi/arg.c
index 7c019d3..053ba65 100644
--- a/gi/arg.c
+++ b/gi/arg.c
@@ -627,13 +627,12 @@ gjs_gtypearray_to_array(JSContext   *context,
             return JS_FALSE;
         }
 
-        gtype = gjs_gtype_get_actual_gtype(context, JSVAL_TO_OBJECT(elem));
+        if (!JSVAL_IS_OBJECT(elem))
+            goto err;
 
-        if (gtype == G_TYPE_INVALID) {
-            g_free(result);
-            gjs_throw(context, "Invalid element in GType array");
-            return JS_FALSE;
-        }
+        gtype = gjs_gtype_get_actual_gtype(context, JSVAL_TO_OBJECT(elem));
+        if (gtype == G_TYPE_INVALID)
+            goto err;
 
         result[i] = gtype;
     }
@@ -641,6 +640,11 @@ gjs_gtypearray_to_array(JSContext   *context,
     *arr_p = result;
 
     return JS_TRUE;
+
+ err:
+    g_free(result);
+    gjs_throw(context, "Invalid element in GType array");
+    return JS_FALSE;
 }
 
 static JSBool
diff --git a/test/js/testEverythingBasic.js b/test/js/testEverythingBasic.js
index 4581966..6dc71dd 100644
--- a/test/js/testEverythingBasic.js
+++ b/test/js/testEverythingBasic.js
@@ -10,6 +10,7 @@ if (!('assertEquals' in this)) { /* allow running this test standalone */
 // We use Gio to have some objects that we know exist
 const GLib = imports.gi.GLib;
 const Gio = imports.gi.Gio;
+const GObject = imports.gi.GObject;
 const Lang = imports.lang;
 
 const INT8_MIN = (-128);
@@ -312,6 +313,20 @@ function testArrayIn() {
     assertEquals(10, Everything.test_array_gint8_in("\x01\x02\x03\x04"));
     assertEquals(10, Everything.test_array_gint16_in("\x01\x02\x03\x04"));
     assertEquals(2560, Everything.test_array_gint16_in("\u0100\u0200\u0300\u0400"));
+
+    // GType arrays
+    assertEquals('[GSimpleAction,GIcon,GBoxed,]',
+                 Everything.test_array_gtype_in([Gio.SimpleAction, Gio.Icon, GObject.TYPE_BOXED]));
+    assertRaises(function() {
+        Everything.test_array_gtype_in(42);
+    });
+    assertRaises(function() {
+        Everything.test_array_gtype_in([undefined]);
+    });
+    assertRaises(function() {
+        // 80 is G_TYPE_OBJECT, but we don't want it to work
+        Everything.test_array_gtype_in([80]);
+    });
 }
 
 function testArrayOut() {

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]