arg: Handle case with null array and garbage length (!241) · Merge requests · GNOME / gjs

Philip Chimento requested to merge 201-null-out-arrays into master Oct 09, 2018

It happens sometimes in the case of an array out argument with a separate length argument, that C code passess a NULL array pointer with garbage as the length.

In the particular case that caused the crash in the associated bug report, gtk_selection_data_get_targets() passed NULL as the array pointer and -1 as the length, which later got interpreted as an unsigned int and so caused a failure to allocate memory.

I doubt that the C code should be doing this, but in any case we should not crash in this case. This adds a check for this situation to gjs_array_from_carray_internal() as well as to all the shortcuts and special cases called from there.

Closes: #201 (closed)

arg: Handle case with null array and garbage length

Merge request reports