From dc2027e72891aa716033e5df68a2c3f82b458b39 Mon Sep 17 00:00:00 2001 From: Philip Withnall Date: Fri, 12 Apr 2024 16:01:20 +0100 Subject: [PATCH] gparamspecs: Fix NULL pointer dereference MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit I’m not sure exactly how this code is supposed to work, so this might not be the right fix. But there’s definitely a problem here, and it was spotted by scan-build. If `param_value_array_validate()` is entered with `value->data[0].v_pointer == NULL && aspec->fixed_n_elements`, that `NULL` will be stored in `value_array` too. `value->data[0].v_pointer` will then be set to a new non-`NULL` array. A few lines down, `value_array_ensure_size()` is called on `value_array` – which is still `NULL` – and this results in a `NULL` pointer dereference. It looks like `value->data[0].v_pointer` and `value_array` are used interchangeably throughout the whole of the function, so assign the new value of `value->data[0].v_pointer` to `value_array` too. My guess is that `value_array` is just a convenience alias for `value->data[0].v_pointer`, because the latter is a real mouthful to type or read. Signed-off-by: Philip Withnall Helps: #1767 --- gobject/gparamspecs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gobject/gparamspecs.c b/gobject/gparamspecs.c index cf50df74f..12a81245a 100644 --- a/gobject/gparamspecs.c +++ b/gobject/gparamspecs.c @@ -1018,7 +1018,7 @@ param_value_array_validate (GParamSpec *pspec, guint changed = 0; if (!value->data[0].v_pointer && aspec->fixed_n_elements) - value->data[0].v_pointer = g_value_array_new (aspec->fixed_n_elements); + value_array = value->data[0].v_pointer = g_value_array_new (aspec->fixed_n_elements); if (value->data[0].v_pointer) {