From 45d4c52501474ded53351a92cf5c7129fc8661e6 Mon Sep 17 00:00:00 2001 From: Philip Withnall Date: Tue, 28 Jun 2022 10:51:42 +0100 Subject: [PATCH] gcontenttype: Fix a potential use-after-free of xdgmime data While `gio_xdgmime` is unlocked, the data which `type` points to in the xdgmime cache might get invalidated, leaving `type` as a dangling pointer. That would not bode well for the `g_strdup (type)` call to insert a new entry into the `type_comment_cache` once `gio_xdgmime` is re-acquired. This was spotted using static analysis, and the symptoms have not knowingly been seen in the wild. Signed-off-by: Philip Withnall Coverity CID: #1474702 --- gio/gcontenttype.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/gio/gcontenttype.c b/gio/gcontenttype.c index 170bb4341..665668890 100644 --- a/gio/gcontenttype.c +++ b/gio/gcontenttype.c @@ -486,6 +486,7 @@ gchar * g_content_type_get_description (const gchar *type) { static GHashTable *type_comment_cache = NULL; + gchar *type_copy = NULL; gchar *comment; g_return_val_if_fail (type != NULL, NULL); @@ -500,16 +501,21 @@ g_content_type_get_description (const gchar *type) comment = g_hash_table_lookup (type_comment_cache, type); comment = g_strdup (comment); - G_UNLOCK (gio_xdgmime); if (comment != NULL) - return comment; + { + G_UNLOCK (gio_xdgmime); + return comment; + } - comment = load_comment_for_mime (type); + type_copy = g_strdup (type); + G_UNLOCK (gio_xdgmime); + comment = load_comment_for_mime (type_copy); G_LOCK (gio_xdgmime); + g_hash_table_insert (type_comment_cache, - g_strdup (type), + g_steal_pointer (&type_copy), g_strdup (comment)); G_UNLOCK (gio_xdgmime);