Possible SEGV (null pointer deref) in _g_resource_file_new()
There appears to be a possible SEGV (null pointer deref) in _g_resource_file_new()
. The relevant code is here:
GFile * _g_resource_file_new (const char *uri)
{
..
path = g_uri_unescape_string (uri + strlen ("resource:"), NULL);
resource = g_resource_file_new_for_path (path);
..
}
The problem is that g_uri_unescape_string()
can return NULL if the input string is not valid (see here). This can cause a SEGV (null pointer deref) in the call to g_resource_file_new_for_path()
.
Attached is a (corrupted) gtk.css
file that can trigger the problem. To reproduce: (1) replace the system /usr/share/themes/Yaru/gtk-3.0/gtk.css
with the attached file, then (2) run gnome-system-monitor
. This will trigger the crash, at least on my test machine.
Attachment: gtk.css
Stack trace:
Thread 1 "gnome-system-mo" received signal SIGSEGV, Segmentation fault.
__strlen_sse2 () at ../sysdeps/x86_64/multiarch/strlen-sse2.S:142
#0 __strlen_sse2 () at ../sysdeps/x86_64/multiarch/strlen-sse2.S:142
#1 0x00007ffff7a5bffd in canonicalize_filename (in=0x0)
at ../../../gio/gresourcefile.c:183
#2 0x00007ffff7a856c4 in g_resource_file_new_for_path (path=0x0)
at ../../../gio/gresourcefile.c:236
#3 _g_resource_file_new (uri=<optimized out>)
at ../../../gio/gresourcefile.c:248
#4 resource_get_file_for_uri
(vfs=<optimized out>, uri=<optimized out>, user_data=<optimized out>)
at ../../../gio/gvfs.c:96
#5 0x00007ffff7a86795 in get_file_for_uri_internal
(uri=0x5555556bbfc0 "resource:///%com/ubuntu/themes/Yaru/3.0/gtk.css", vfs=0x5555556afcf0) at ../../../gio/gvfs.c:214
#6 g_vfs_get_file_for_uri
(vfs=0x5555556afcf0, uri=0x5555556bbfc0 "resource:///%com/ubuntu/themes/Yaru/3.0/gtk.css") at ../../../gio/gvfs.c:248
#7 0x00007ffff71371c8 in _gtk_css_parser_read_url (parser=0x5555556be610)
at ../../../gtk/gtkcssparser.c:873
#8 0x00007ffff71388ee in parse_import (scanner=0x5555556ba900)
at ../../../gtk/gtkcssprovider.c:1025
#9 parse_at_keyword (scanner=0x5555556ba900)
at ../../../gtk/gtkcssprovider.c:1301
#10 parse_statement (scanner=0x5555556ba900)
at ../../../gtk/gtkcssprovider.c:1642
#11 parse_stylesheet (scanner=0x5555556ba900)
at ../../../gtk/gtkcssprovider.c:1660
#12 gtk_css_provider_load_internal
(css_provider=css_provider@entry=0x55555569e410, parent=parent@entry=0x0, file=file@entry=0x5555556bc880, text=<optimized out>,
text@entry=0x0, error=error@entry=0x0)
at ../../../gtk/gtkcssprovider.c:1787
#13 0x00007ffff713a8bb in gtk_css_provider_load_from_file
(css_provider=css_provider@entry=0x55555569e410, file=file@entry=0x5555556bc880, error=error@entry=0x0) at ../../../gtk/gtkcssprovider.c:1890
#14 0x00007ffff713a949 in gtk_css_provider_load_from_path
(css_provider=css_provider@entry=0x55555569e410, path=path@entry=0x5555556a9870 "/usr/share/themes/Yaru/gtk-3.0/gtk.css", error=error@entry=0x0)
at ../../../gtk/gtkcssprovider.c:1924
#15 0x00007ffff713abd7 in _gtk_css_provider_load_named
(provider=0x55555569e410, name=<optimized out>, variant=<optimized out>)
at ../../../gtk/gtkcssprovider.c:2166
#16 0x00007ffff7287f0a in settings_update_theme
(settings=settings@entry=0x555555690f10) at ../../../gtk/gtksettings.c:3321
#17 0x00007ffff728c51c in settings_init_style (settings=0x555555690f10)
at ../../../gtk/gtksettings.c:1910
#18 gtk_settings_create_for_display (display=<optimized out>)
at ../../../gtk/gtksettings.c:1996
#19 gtk_settings_get_for_display (display=<optimized out>)
at ../../../gtk/gtksettings.c:2028
#20 0x00007ffff7215dc8 in display_opened_cb
(display_manager=<optimized out>, display=display@entry=0x555555650e70)
at ../../../gtk/gtkmodules.c:498
#21 0x00007ffff7ed4ab5 in g_cclosure_marshal_VOID__OBJECTv
(closure=0x55555563d0d0, return_value=<optimized out>, instance=0x55555563cfc0, args=<optimized out>, marshal_data=<optimized out>, n_params=<optimized out>, param_types=0x55555563ce20) at ../../../gobject/gmarshal.c:1910
#22 0x00007ffff7ef383c in _g_closure_invoke_va
(param_types=<optimized out>, n_params=<optimized out>, args=0x7fffffffd8d0, instance=<optimized out>, return_value=<optimized out>, closure=0x55555563d0d0) at ../../../gobject/gclosure.c:895
#23 g_signal_emit_valist
(instance=<optimized out>, signal_id=<optimized out>, detail=<optimized out>, var_args=var_args@entry=0x7fffffffd8d0) at ../../../gobject/gsignal.c:3462
#24 0x00007ffff7ef3923 in g_signal_emit
(instance=<optimized out>, signal_id=<optimized out>, detail=<optimized out>) at ../../../gobject/gsignal.c:3612
#25 0x00007ffff7ef383c in _g_closure_invoke_va
(param_types=<optimized out>, n_params=<optimized out>, args=0x7fffffffdb50, instance=<optimized out>, return_value=<optimized out>, closure=0x5555556504e0) at ../../../gobject/gclosure.c:895
#26 g_signal_emit_valist
(instance=instance@entry=0x555555650e70, signal_id=<optimized out>,
signal_id@entry=18, detail=<optimized out>, var_args=var_args@entry=0x7fffffffdb50) at ../../../gobject/gsignal.c:3462
#27 0x00007ffff7ef3b28 in g_signal_emit_by_name
(instance=instance@entry=0x555555650e70, detailed_signal=detailed_signal@entry=0x7ffff7972677 "opened") at ../../../gobject/gsignal.c:3654
#28 0x00007ffff795434c in _gdk_x11_display_open (display_name=<optimized out>)
at ../../../gdk/x11/gdkdisplay-x11.c:1803
#29 0x00007ffff79019a7 in gdk_display_manager_open_display
(manager=<optimized out>, name=0x0) at ../../../gdk/gdkdisplaymanager.c:462
#30 0x00007ffff71f4728 in gtk_init_check
(argc=<optimized out>, argv=<optimized out>) at ../../../gtk/gtkmain.c:1110
#31 gtk_init_check (argc=<optimized out>, argv=<optimized out>)
at ../../../gtk/gtkmain.c:1102
#32 0x00007ffff71f5d2d in gtk_init (argc=<optimized out>, argv=<optimized out>)
at ../../../gtk/gtkmain.c:1167
#33 0x00007ffff6c389af in Gtk::Application::Application(Glib::ustring const&, Gio::ApplicationFlags)
(this=this@entry=0x5555555cd6f0, __vtt_parm=__vtt_parm@entry=0x5555555a6650 <VTT for GsmApplication+8>, application_id=..., flags=flags@entry=Gio::APPLICATION_HANDLES_COMMAND_LINE, this=<optimized out>, __vtt_parm=<optimized out>, application_id=<optimized out>, flags=<optimized out>)
at gtk/gtkmm/application.cc:87
#34 0x0000555555573acf in GsmApplication::GsmApplication()
(this=this@entry=0x5555555cd6f0, this=<optimized out>)
at ../src/application.cpp:392
#35 0x0000555555573ddd in GsmApplication::get() ()
at ../src/application.cpp:403
#36 0x000055555556fe7a in main(int, char**) (argc=1, argv=0x7fffffffe008)
at ../src/main.cpp:37