Null Pointer Dereference in gvs_tuple_needed_size
Hello,
I'm reporting a vulnerability one of our researchers discovered. Please let me know if I can proceed with creating a CVE for this once it's been reviewed.
Summary: Null Pointer Dereference in gvs_tuple_needed_size Severity: Low CVSS=5.5 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Description: In the function gvs_tuple_needed_size() in glib/gvariant-serialiser.c, if the n_children parameter passed to gvs_tuple_needed_size() is 0, the for block will not be executed, leaving member_info set to NULL, but then gvs_calculate_total_size (offset, member_info->i + 1); is called, which will cause a NULL pointer dereference of member_info.
See e.g. https://gitlab.gnome.org/GNOME/glib/-/blob/main/glib/gvariant-serialiser.c#L1130
Impact A Null Pointer Dereference would likely result in Denial of Service of the application linked with this functionality. However, this finding is currently set as a Low severity issue because of the lack of a proof of concept program for it (found only via static analysis).
Recommendations Check member_info for NULL prior to using it, or document that the function must not be passed a 0 value.
CWE: CWE-476: NULL Pointer Dereference