g_bookmark_file_load_from_data() function segmentation faults on malformed input
Submitted by Jussi Judin
Link to original bug (#749082)
Description
Created attachment 303049 A collection of files that make g_bookmark_file_load_from_data() segmentation fault
g_bookmark_file_load_from_data() function segmentation faults on certain type of malformed input on glib 2.45.1 with having Ubuntu 14.10 as a base. Following test program demonstrates this issue:
#include <glib.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int main()
{
static char buffer[1048576];
size_t read_bytes = fread(buffer, 1, sizeof(buffer) - 1, stdin);
printf("%zu\n", read_bytes);
if (read_bytes < 1) {
return EXIT_FAILURE;
}
GBookmarkFile* bookmark_file = g_bookmark_file_new();
g_bookmark_file_load_from_data(bookmark_file, buffer, read_bytes, NULL);
g_bookmark_file_free(bookmark_file);
return EXIT_SUCCESS;
}
When you compile this program and run on an example input, you'll see following output:
$ gcc -ggdb -o glib-bookmark glib-bookmark.c $(pkg-config --cflags --libs glib-2.0) -lpthread
$ echo -n "</" | ./glib-bookmark
2
Segmentation fault (core dumped)
Program terminated with signal SIGSEGV, Segmentation fault.
#0 current_element (context=0xbf4a90) at gmarkup.c:889
889 return context->tag_stack->data;
(gdb) bt
#0 current_element (context=0xbf4a90) at gmarkup.c:889
#1 g_markup_parse_context_end_parse (context=context@entry=0xbf4a90,
error=error@entry=0x7ffff9594140) at gmarkup.c:1843
#2 0x00000000004089f1 in g_bookmark_file_parse (error=0x7ffff9594130,
length=<optimized out>, buffer=0x8a31c0 <buffer> "</",
bookmark=<optimized out>) at gbookmarkfile.c:1432
#3 g_bookmark_file_load_from_data (bookmark=<optimized out>,
data=0x8a31c0 <buffer> "</", length=<optimized out>, error=0x0)
at gbookmarkfile.c:1649
#4 0x0000000000401faf in main () at glib-bookmark.c:15
Attached a tarball of files that also result in all kinds of warnings of type "GLib-WARNING **: (gbookmarkfile.c" and then crashing the program with a segmentation fault. These may also reveal some additional issues besides the most simple input that causes a segmentation fault in that function.
Attachment 303049, "A collection of files that make g_bookmark_file_load_from_data() segmentation fault":
bookmark-crashes-min.tar.gz
Version: 2.45.x