Segfault when marshalling caller-allocated native array out arguments
An example reproducer:
➜ ~ python3 -c 'from gi.repository import GLib; x = GLib.IOChannel.new_file("/etc/hosts", "r"); x.read_chars()'
[1] 3130673 segmentation fault (core dumped) python3 -c
The problem seems to be a combination of two things:
- When
_caller_alloc
is called by_invoke_marshal_in_args
for a caller-allocated out argument of array type, it allocates aGArray
regardless of the actual array type. -
pygi_arg_garray_len_arg_setup
appears to assume that the length argument of an array-typed argument has the same direction as the array argument. This causes_invoke_marshal_in_args
to pass a pointer whereg_io_channel_read_chars
expects an integer.