Wrong GTask tag on error return path in g_proxy_resolver_lookup_async()
Code to reproduce:
gdbus call --session --dest org.gtk.GLib.PACRunner --object-path /org/gtk/GLib/PACRunner --method org.gtk.GLib.PACRunner.Lookup {"asdf", "asdf"}
(Confirmed there was a bug by watching dmesg -w
while calling this).
OS:
Linux fedora 5.19.16-200.fc36.x86_64
Explanation (to the best of my understanding):
Using the call above, the string (^as)
is passed as the first argument into gvariant.c::g_variant_valist_new
.
The while loop that finished this function iterates over the string and eventually calls gvaraint.c::g_variant_valist_new_nnp
and hits the ^
case with the type
equal to s
. At this time, the ptr
variable is NULL
, so gvariant.c::g_variant_new_strv
is called with NULL
and -1
as arg1
and arg2
respectively.
The g_return_val_if_fail
check in gvariant.c::g_variant_new_strv
will pass if arg2 == 0
(it is -1
here) OR arg1 != NULL
(it is NULL
here), so the function returns NULL
as the check fails.
The return value of this function (which is NULL
) is ultimately passed as the 2nd argument into g_variant_builder_add_value
where it tries to dereference a struct field from this argument in g_variant_is_trusted
.
After some testing, there were several viable fixes, but the best/easiest are to either confirm arg2
is not NULL
in gvariant.c::g_variant_builder_add_value
or confirm the ptr
variable is not NULL
in https://gitlab.gnome.org/GNOME/glib/-/blob/main/glib/gvariant.c#L4796
(this seems to be the more appropriate fix as currently only the a
case checks that ptr
is not NULL
.