[gvdb/mcatanzaro/fix-write-contents-async] Fix gvdb_table_write_contents_async()

From: Michael Catanzaro <mcatanzaro src gnome org>
To: commits-list gnome org
Cc:
Subject: [gvdb/mcatanzaro/fix-write-contents-async] Fix gvdb_table_write_contents_async()
Date: Thu, 27 Jun 2019 21:59:37 +0000 (UTC)

commit d83587b2a364eb9a9a53be7e6a708074e252de14
Author: Michael Catanzaro <mcatanzaro igalia com>
Date:   Thu Jun 27 16:58:03 2019 -0500

    Fix gvdb_table_write_contents_async()
    
    It worked when I first wrote it, but I broke it during the late stages
    of code review. str is already freed here, so this is a use-after-free
    vulnerability for starters. It also causes the file saved to be always
    empty.

 gvdb-builder.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)
---
diff --git a/gvdb-builder.c b/gvdb-builder.c
index cf94691..e36e9ab 100644
--- a/gvdb-builder.c
+++ b/gvdb-builder.c
@@ -608,7 +608,9 @@ gvdb_table_write_contents_async (GHashTable          *table,
   g_task_set_task_data (task, data, (GDestroyNotify)write_contents_data_free);
   g_task_set_source_tag (task, gvdb_table_write_contents_async);
 
-  g_file_replace_contents_async (file, str->str, str->len,
+  g_file_replace_contents_async (file,
+                                 g_bytes_get_data (bytes, NULL),
+                                 g_bytes_get_size (bytes),
                                  NULL, FALSE,
                                  G_FILE_CREATE_PRIVATE | G_FILE_CREATE_REPLACE_DESTINATION,
                                  cancellable, replace_contents_cb, g_steal_pointer (&task));

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]