[pango/attr-list-bad-access: 4/4] AVoid a use-after-free in pango_attr_list_change

From: Matthias Clasen <matthiasc src gnome org>
To: commits-list gnome org
Cc:
Subject: [pango/attr-list-bad-access: 4/4] AVoid a use-after-free in pango_attr_list_change
Date: Sat, 19 Mar 2022 03:46:56 +0000 (UTC)


commit 5de30b596bd4b2b65715fc283264448127ca4b61
Author: Matthias Clasen <mclasen redhat com>
Date:   Wed Mar 16 15:46:51 2022 -0400

    AVoid a use-after-free in pango_attr_list_change
    
    This was showing up as crashes in pitivi and inkscape.
    
    The added test does not crash, but it does produce
    the wrong result without the fix.
    
    Fixes: #678

 pango/pango-attributes.c |  3 +++
 tests/testattributes.c   | 23 +++++++++++++++++++++++
 2 files changed, 26 insertions(+)
---
diff --git a/pango/pango-attributes.c b/pango/pango-attributes.c
index 4d7111fa..20809afc 100644
--- a/pango/pango-attributes.c
+++ b/pango/pango-attributes.c
@@ -2157,6 +2157,9 @@ pango_attr_list_change (PangoAttrList  *list,
       if (tmp_attr->klass->type != attr->klass->type)
         continue;
 
+      if (tmp_attr == attr)
+        continue;
+
       if (tmp_attr->end_index <= attr->end_index ||
           pango_attribute_equal (tmp_attr, attr))
         {
diff --git a/tests/testattributes.c b/tests/testattributes.c
index 4a6b69b4..5d3334e8 100644
--- a/tests/testattributes.c
+++ b/tests/testattributes.c
@@ -1398,6 +1398,28 @@ test_change_order (void)
   pango_attr_list_unref (list);
 }
 
+static void
+test_pitivi_crash (void)
+{
+  PangoAttrList *list;
+  PangoAttribute *attr;
+
+  list = pango_attr_list_from_string ("0 8 font-features \"tnum=1\"\n"
+                                      "0 20 font-desc \"sans-serif\"\n"
+                                      "0 9 size 102400\n");
+
+  attr = pango_attr_font_features_new ("tnum=2");
+  attr->end_index = 9;
+
+  pango_attr_list_change (list, attr);
+
+  assert_attr_list (list, "0 9 font-features \"tnum=2\"\n"
+                          "0 20 font-desc \"sans-serif\"\n"
+                          "0 9 size 102400\n");
+
+  pango_attr_list_unref (list);
+}
+
 int
 main (int argc, char *argv[])
 {
@@ -1439,6 +1461,7 @@ main (int argc, char *argv[])
   g_test_add_func ("/attributes/iter/epsilon_zero", test_iter_epsilon_zero);
   g_test_add_func ("/attributes/gnumeric-splice", test_gnumeric_splice);
   g_test_add_func ("/attributes/list/change_order", test_change_order);
+  g_test_add_func ("/attributes/pitivi-crash", test_pitivi_crash);
 
   return g_test_run ();
 }

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]