Possible SEGV (null pointer deref) in parse_settings() from xsettings-client.c
There seems to be a possible SEGV (null pointer deref) in parse_settings()
from xsettings-client.c
(see here). The relevant code snippet is:
static GHashTable *
parse_settings (unsigned char *data,
size_t len)
{
GValue *value = NULL;
...
switch (type)
{
...
default: // If "default", then value remains NULL
...
break;
}
...
if (gdk_name == NULL)
{
...
free_value (value); // <---- SEGV if value==NULL
}
...
}
Steps to reproduce
This is difficult to reproduce. It is possible to do so by sending a corrupt X11 message such that type
does not match any case in the switch
statement, and x_name
to be a value not recognised by gdk_from_xsettings_name()
. If this occurs, then value==NULL
and gdk_name==NULL
at the crash location.
Version information
Checked on Ubuntu 23.04 (shipped libs) and the latest git head.
Backtrace
Thread 1 "gedit" received signal SIGSEGV, Segmentation fault.
0x00007ffff7eeb038 in g_value_unset (value=value@entry=0x0) at ../../../gobject/gvalue.c:304
304 if (value->g_type == 0)
...
#0 0x00007ffff7eeb038 in g_value_unset (value=value@entry=0x0) at ../../../gobject/gvalue.c:304
#1 0x00007ffde85a9784 in free_value (data=0x0) at ../../../gdk/x11/xsettings-client.c:243
#2 parse_settings (len=<optimized out>, data=<optimized out>) at ../../../gdk/x11/xsettings-client.c:363
#3 read_settings (x11_screen=0x5555555bb030, do_notify=0) at ../../../gdk/x11/xsettings-client.c:444
#4 0x00007ffde858ef13 in _gdk_x11_xsettings_init (x11_screen=0x5555555bb030) at ../../../gdk/x11/xsettings-client.c:618
#5 _gdk_x11_display_open (display_name=<optimized out>) at ../../../gdk/x11/gdkdisplay-x11.c:1611
#6 0x00007ffde853c9a7 in gdk_display_manager_open_display (manager=<optimized out>, name=0x0)
at ../../../gdk/gdkdisplaymanager.c:462
#7 0x00007ffde88d2aa5 in gtk_init_check (argc=0x0, argv=0x0) at ../../../gtk/gtkmain.c:1110
#8 0x00007ffde88d2af5 in gtk_init (argc=0x0, argv=0x0) at ../../../gtk/gtkmain.c:1167
#9 0x00007ffde86dbd17 in gtk_application_startup (g_application=0x555555583200) at ../../../gtk/gtkapplication.c:304
#10 0x00007ffff7f50074 in gedit_app_startup (application=0x555555583200) at ../gedit/gedit-app.c:667
#11 0x00007ffff7ec2010 in g_closure_invoke
(closure=0x55555557eb20, return_value=0x0, n_param_values=1, param_values=0x7fffffffd9f0, invocation_hint=0x7fffffffd970) at ../../../gobject/gclosure.c:832
#12 0x00007ffff7eef08d in signal_emit_unlocked_R.isra.0
(node=node@entry=0x55555557eb50, detail=detail@entry=0, instance=instance@entry=0x555555583200, emission_return=emission_return@entry=0x0, instance_and_params=instance_and_params@entry=0x7fffffffd9f0) at ../../../gobject/gsignal.c:3732
#13 0x00007ffff7edf69a in g_signal_emit_valist
(instance=<optimized out>, signal_id=<optimized out>, detail=<optimized out>, var_args=var_args@entry=0x7fffffffdb90)
at ../../../gobject/gsignal.c:3555
#14 0x00007ffff7edf923 in g_signal_emit (instance=<optimized out>, signal_id=<optimized out>, detail=<optimized out>)
at ../../../gobject/gsignal.c:3612
#15 0x00007ffde913013f in g_application_register (application=0x555555583200, cancellable=0x0, error=0x7fffffffdd00)
at ../../../gio/gapplication.c:2213
#16 0x00007ffde912e00f in g_application_real_local_command_line
(application=0x555555583200, arguments=0x7fffffffdda0, exit_status=0x7fffffffdd90) at ../../../gio/gapplication.c:1115
#17 0x00007ffde86dbeb4 in gtk_application_local_command_line
(application=0x555555583200, arguments=0x7fffffffdda0, exit_status=0x7fffffffdd90)
at ../../../gtk/gtkapplication.c:343
#18 0x00007ffde91308f9 in g_application_run (application=0x555555583200, argc=1, argv=0x7fffffffdf48)
at ../../../gio/gapplication.c:2542
#19 0x0000555555555400 in main (argc=1, argv=0x7fffffffdf48) at ../gedit/gedit.c:175