From 8b9e8dc53b1efba01d760cde9d2cb01fdee51cf7 Mon Sep 17 00:00:00 2001 From: Philip Withnall Date: Tue, 26 Nov 2013 11:12:48 +0000 Subject: [PATCH] gcontenttype: Fix a potential NULL pointer dereference MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If the initial part of the header (‘MIME-TreeMagic’) is valid, but the following line does not start with ‘[’ (i.e. is not a valid section line), insert_matchlet() will be called with a NULL match pointer, and will crash with a NULL pointer dereference. Fix this by bailing out if a valid section line isn’t encountered before the first insert_matchlet() call (i.e. between the header line and the first data line). Note that this has not been tested against a real treemagic file; the fix is purely theoretical. Found by scan-build. https://bugzilla.gnome.org/show_bug.cgi?id=113075 --- gio/gcontenttype.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/gio/gcontenttype.c b/gio/gcontenttype.c index d54f04202..8734e7f4b 100644 --- a/gio/gcontenttype.c +++ b/gio/gcontenttype.c @@ -1032,11 +1032,16 @@ read_tree_magic_from_directory (const gchar *prefix) match = parse_header (lines[i]); insert_match (match); } - else + else if (match != NULL) { matchlet = parse_match_line (lines[i], &depth); insert_matchlet (match, matchlet, depth); } + else + { + g_warning ("%s: header corrupt; skipping\n", filename); + break; + } } g_strfreev (lines);