NULL pointer dereference in pango_parse_markup() with well-formed input
Submitted by Uli Schlachter
Link to original bug (#674277)
Description
Created attachment 212234 Patch which turns the segfault into a failed assertion. This just shows where IMHO the problem is. This should be fixed with proper error handling instead of this patch!
How to reproduce:
$ echo '<span gravity="auto">
test</span>
' | pango-view --markup /dev/stdin
(pango-view:1745): Pango-CRITICAL **: pango_attr_gravity_new: assertion `gravity != PANGO_GRAVITY_AUTO' failed
(pango-view:1745): Pango-CRITICAL **: pango_attribute_destroy: assertion `attr != NULL' failed
(pango-view:1745): Pango-CRITICAL **: pango_attr_gravity_new: assertion `gravity != PANGO_GRAVITY_AUTO' failed Segmentation fault
The problem is in the markup parser. pango_attr_gravity_new() returns a NULL pointer because it gets called with PANGO_GRAVITY_AUTO. The caller (span_parse_func()) doesn't check for this and thus calls add_attribute() with its second argument being NULL. This NULL pointer gets added to the list in ot->attrs. Later on, markup_data_close_tag() dereferences this and crashes.
Someone who actually knows what he is doing should fix this properly. Either this should be turned into an error in span_parse_func() or markup_data_close_tag() should be fixed to be able to work with NULLs.
Please note that I didn't check if other attributes have similar problems. This is something which could be checked for in the test suite... :-)
Patch 212234, "Patch which turns the segfault into a failed assertion. This just shows where IMHO the problem is. This should be fixed with proper error handling instead of this patch!":
turn_crash_into_failed_assertion.patch