Skip to content

gmenuexporter: Fix a NULL pointer dereference on an error handling path

This latent bug wasn’t triggered until commit 3f30ec86 (or its cherry-pick onto glib-2-80, 747e3af9, which was first released in 2.80.1).

That change means that g_menu_exporter_free() is now called on the registration failure path by g_dbus_connection_register_object() before it returns. The caller then tries to call g_slice_free() on the exporter again. The call to g_menu_exporter_free() tries to dereference/free members of the exporter which it expects to be initialised — but because this is happening in an error handling path, they are not initialised.

If it were to get any further, the g_slice_free() would then be a double-free on the exporter allocation.

Fix that by making g_menu_exporter_free() robust to some of the exporter members being NULL, and moving some of the initialisation code higher in g_dbus_connection_export_menu_model(), and removing the duplicate free code on the error handling path.

This includes a unit test.

Signed-off-by: Philip Withnall pwithnall@gnome.org

Fixes: #3366 (closed)

Merge request reports

Loading