[gtk/gtk-3-24: 1/2] printing: Fix crash in avahi_service_resolver_cb

[Matthias Clasen <matthiasc src gnome org>]

commit 3d5f083b75a0c2b50fb5528a19e0e095e85a438e
Author: WGH <wgh torlan ru>
Date:   Thu Jan 23 18:27:41 2020 +0300

    printing: Fix crash in avahi_service_resolver_cb
    
    printer_name_compressed_strv is NULL-terminated array
    of gchar*, which means N+1 memory should be allocated.
    
    Otherwise, if the printer name has no empty components
    (which is usually the case), printer_name_compressed_strv[N],
    which should contain the NULL sentinel, will actually lie
    just outside of allocated memory, which is UB.
    
    In my case, it led to crashes inside g_strjoinv
    when Print... dialog is opened in evince.
    
        #0  0x00007fad2ce1bad7 in __strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:96
        #1  0x00007fad2d04d88d in g_strjoinv (separator=separator@entry=0x7fad0c9bc508 "-", 
str_array=str_array@entry=0x556b017f0200) at ../glib-2.60.7/glib/gstrfuncs.c:2585
        #2  0x00007fad0c9b8a89 in avahi_service_resolver_cb (source_object=<optimized out>, res=<optimized 
out>, user_data=0x7fad08020ee0) at 
/var/tmp/portage/x11-libs/gtk+-3.24.13/work/gtk+-3.24.13/modules/printbackends/cups/gtkprintbackendcups.c:3223
        #3  0x00007fad2d1f8ed3 in g_task_return_now (task=0x556b017a8b00 [GTask]) at 
../glib-2.60.7/gio/gtask.c:1209
        #4  0x00007fad2d1f987d in g_task_return (task=0x556b017a8b00 [GTask], type=<optimized out>) at 
../glib-2.60.7/gio/gtask.c:1278
        #5  0x00007fad2d1f9dec in g_task_return (type=G_TASK_RETURN_SUCCESS, task=<optimized out>) at 
../glib-2.60.7/gio/gtask.c:1678
        #6  0x00007fad2d1f9dec in g_task_return_pointer (task=<optimized out>, result=<optimized out>, 
result_destroy=<optimized out>) at ../glib-2.60.7/gio/gtask.c:1683
        #7  0x00007fad2d24b6af in g_dbus_connection_call_done (source=<optimized out>, result=0x556b017a8bc0, 
user_data=0x556b017a8b00) at ../glib-2.60.7/gio/gdbusconnection.c:5747
        #8  0x00007fad2d1f8ed3 in g_task_return_now (task=0x556b017a8bc0 [GTask]) at 
../glib-2.60.7/gio/gtask.c:1209
        #9  0x00007fad2d1f8f09 in complete_in_idle_cb (task=0x556b017a8bc0) at ../glib-2.60.7/gio/gtask.c:1223
        #10 0x00007fad2d02d2c0 in g_main_dispatch (context=0x556b00eee090) at ../glib-2.60.7/glib/gmain.c:3189
        #11 0x00007fad2d02d2c0 in g_main_context_dispatch (context=context@entry=0x556b00eee090) at 
../glib-2.60.7/glib/gmain.c:3854
        #12 0x00007fad2d02d658 in g_main_context_iterate (context=context@entry=0x556b00eee090, 
block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at ../glib-2.60.7/glib/gmain.c:3927
        #13 0x00007fad2d02d6df in g_main_context_iteration (context=context@entry=0x556b00eee090, 
may_block=may_block@entry=1) at ../glib-2.60.7/glib/gmain.c:3988
        #14 0x00007fad2d22248d in g_application_run (application=0x556b0116f130 [EvApplication], 
argc=<optimized out>, argv=<optimized out>) at ../glib-2.60.7/gio/gapplication.c:2519
        #15 0x0000556b002e55a1 in  ()
        #16 0x00007fad2ccd6f1b in __libc_start_main (main=0x556b002e50d0, argc=2, argv=0x7ffe1057fa88, 
init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffe1057fa78) at 
../csu/libc-start.c:308
        #17 0x0000556b002e567a in  ()
    
        (gdb) p printer_name_compressed_strv[0]
        $4 = (gchar *) 0x556d4a4be430 "Brother"
        (gdb) p printer_name_compressed_strv[1]
        $5 = (gchar *) 0x7f9dbc011090 "MFC"
        (gdb) p printer_name_compressed_strv[2]
        $6 = (gchar *) 0x556d4a51ba50 "7860DW"
        (gdb) p printer_name_compressed_strv[3]
        $7 = (gchar *) 0x401 <error: Cannot access memory at address 0x401>

 modules/printbackends/cups/gtkprintbackendcups.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
---
diff --git a/modules/printbackends/cups/gtkprintbackendcups.c 
b/modules/printbackends/cups/gtkprintbackendcups.c
index 4499ef8498..610d688797 100644
--- a/modules/printbackends/cups/gtkprintbackendcups.c
+++ b/modules/printbackends/cups/gtkprintbackendcups.c
@@ -3210,7 +3210,7 @@ avahi_service_resolver_cb (GObject      *source_object,
               g_strcanon (printer_name, PRINTER_NAME_ALLOWED_CHARACTERS, '-');
 
               printer_name_strv = g_strsplit_set (printer_name, "-", -1);
-              printer_name_compressed_strv = g_new0 (gchar *, g_strv_length (printer_name_strv));
+              printer_name_compressed_strv = g_new0 (gchar *, g_strv_length (printer_name_strv) + 1);
               for (i = 0, j = 0; printer_name_strv[i] != NULL; i++)
                 {
                   if (printer_name_strv[i][0] != '\0')