NULL pointer deference in function parse_value_from_blob()
A null pointer deference bug was found in function parse_value_from_blob() (line 1471).
1471 switch (type_string[0]) // null pointer defference
1472 {
1473 case 'b': /* G_VARIANT_TYPE_BOOLEAN */
1474 ensure_input_padding (buf, 4);
1475 if (!just_align)
1476 {
1477 gboolean v;
1478 v = g_memory_buffer_read_uint32 (buf);
1479 ret = g_variant_new_boolean (v);
1480 }
1481 break;
The ASAN output is as below:
==28616==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000535630 bp 0x7ffe0b16af30 sp 0x7ffe0b16ace0 T0)
==28616==The signal is caused by a READ memory access.
==28616==Hint: address points to the zero page.
#0 0x53562f in parse_value_from_blob /work/meson/../../src/glib/gio/gdbusmessage.c:1471:11
#1 0x536188 in parse_value_from_blob /work/meson/../../src/glib/gio/gdbusmessage.c:1856:23
#2 0x535cff in parse_value_from_blob /work/meson/../../src/glib/gio/gdbusmessage.c:1776:23
#3 0x535fe1 in parse_value_from_blob /work/meson/../../src/glib/gio/gdbusmessage.c:1729:30
#4 0x534c37 in g_dbus_message_new_from_blob /work/meson/../../src/glib/gio/gdbusmessage.c:2090:13
#5 0x5311d0 in main /src/dbus_message.c:33:7
#6 0x7f41d634182f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#7 0x41ddc8 in _start (/src/gdbus_message+0x41ddc8)
The attachment is a test program.
credit:ADLab of Venustech
Edited by Jin