This fixes cases where calling `g_uri_to_string()` immediately after a
successful call to `g_uri_parse()` would cause an assertion failure for
URIs like `data:/.//` or `data:.///`.
These appear to be valid URIs. Their paths are normalised to `//` during
parsing as a result of the `remove_dot_segments()` algorithm. This then
falls foul of the restriction from
https://datatracker.ietf.org/doc/html/rfc3986#section-3 that
> When authority is not present, the path cannot begin with two slash
> characters ("//").
This is already encoded in an assertion at the top of
`g_uri_join_internal()`.
The approach of prefixing the path with `/.` should be harmless: it
guarantees the path starts with `/`, prevents `//` being a prefix, and
should always be removed by `remove_dot_segments()` when re-parsing the
URI. It’s the same approach as taken in the WhatWG URL spec for a
similar (but different) situation:
https://url.spec.whatwg.org/#url-serializing (see step 3).
See also: https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/415?commit_id=79cfd65c9bd8024cd45dd725c284766329873709
Signed-off-by: Philip Withnall <pwithnall@gnome.org>
In 1e3b010 the behaviour of `g_bytes_new (NULL, 0)` was changed; before the
`g_bytes_get_data()` would return NULL as expected, but now it returns a pointer
outside the single GBytes allocation.
This breaks the fwupd self tests as we use a GBytes of NULL to signify that
the emulation data exists, but it has no content.
Catch this case and restore the old behaviour.
This fixes a heap buffer overflow read in `g_utf8_validate()` and
`g_str_is_ascii()`, at the cost of always calling `strlen()` on the
input string if its length isn’t known already.
The overflow read was not a security vulnerability, but getting valgrind
and asan to understand that, across all platforms and build
configurations, doesn’t seem to be possible with the resources available
to us. In particular, the `ifunc` approach doesn’t work on muslc, and
doesn’t work when statically linked.
The UTF-8 validation code should still be faster than the old approach
(GLib 2.82 and older), as `strlen()` is SIMD-accelerated in glibc, and
UTF-8 validation is SIMD accelerated in GLib. The combination of the two
should still be faster than the bytewise read loop we used to have.
Unfortunately, correctness and testability have to be prioritised over
absolute performance.
Signed-off-by: Philip Withnall <pwithnall@gnome.org>
Fixes: #3493Fixes: #3511Fixes: #3526
The Debian 12.8 point release included a version of ninja that is
equivalent to the one we were building from source here.
This reverts commit dbd7280c5e.
Signed-off-by: Simon McVittie <smcv@debian.org>
When a conversion is finished, the code would return 0 from its write
vfunc. This is disallowed by the API of g_output_stream_write() and
causes g_output_stream_splice() as used by g_converter_convert_bytes()
to turn into an infinite loop.
Instead, raise a G_IO_ERROR_MESSAGE_TOO_LARGE error so that the calling
code can decide how to deal with it.
Testcase included.
Closes#3532
It is unused when compiling with `G_DISABLE_ASSERT`. That’s fine, but we
definitely want the `g_hash_table_remove()` call to still be made.
Fixes this CI failure: https://gitlab.gnome.org/GNOME/glib/-/jobs/4483098
Signed-off-by: Philip Withnall <pwithnall@gnome.org>
Testing this in a normal testcaes is a bit tricky, since
triggering a non-fatal assertion has the side-effect of
marking the test as failed.
So just don't run any testcases here, but check the side-effect
manually. Since we don't produce TAP output when not using
g_test_run(), tell meson that we're using the exitcode protocol.
There is a race between releasing and re-acquiring an interned
GRefString if this happens on two threads at the same time. This can
result in already freed memory to be returned from
g_ref_string_new_intern().
| Thread 1 | Thread 2 |
| ------------------------------ | ----------------------------- |
| g_ref_string_release() | g_ref_string_new_intern() |
| g_atomic_rc_box_release_full() | g_mutex_lock() |
| | g_hash_table_lookup() |
| remove_if_interned() | g_ref_string_acquire() |
| g_mutex_lock() | g_mutex_unlock() |
| g_hash_table_remove() | |
| g_mutex_unlock() | |
| g_free() | |
| | return res; // this is freed |
This use-after-free usually also gives a critical warning because
g_atomic_ref_count_inc() checks for the refcount having been 0
before incrementing.
It is not possible to safely implement weak references via garcbox.
To avoid this race do not implement weak references via garcbox but
instead implement the allocation of the string manually with a manually
managed reference count. This allows to safely resurrect the interned
string if the above race happens, and also avoids other races.
As a side-effect this also
* reduces the allocation size in addition to the actual string length
from 32 bytes to 16 bytes on 64 bit platforms and keeps it at 16 bytes
on 32 bit platforms,
* doesn't lock a mutex when freeing non-interned GRefStrings.
We have a mechanism for turning on optional features of the GLib
test harness by passing options to g_test_init(). Use it for the
non-fatal assertions as well.
