Commit Graph

23017 Commits

Author SHA1 Message Date
Philip Withnall
20cfc75d14 Merge branch '2319-memdup' into 'master'
Add g_memdup2()

Closes #2319

See merge request GNOME/glib!1926
2021-02-04 17:12:36 +00:00
Philip Withnall
0cc11f745e giochannel: Forbid very long line terminator strings
The public API `GIOChannel.line_term_len` is only a `guint`. Ensure that
nul-terminated strings passed to `g_io_channel_set_line_term()` can’t
exceed that length. Use `g_memdup2()` to avoid a warning (`g_memdup()`
is due to be deprecated), but not to avoid a bug, since it’s also
limited to `G_MAXUINT`.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
Helps: #2319
2021-02-04 16:17:21 +00:00
Philip Withnall
a8b204ff9d gtlspassword: Forbid very long TLS passwords
The public API `g_tls_password_set_value_full()` (and the vfunc it
invokes) can only accept a `gssize` length. Ensure that nul-terminated
strings passed to `g_tls_password_set_value()` can’t exceed that length.
Use `g_memdup2()` to avoid an overflow if they’re longer than
`G_MAXUINT` similarly.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
Helps: #2319
2021-02-04 16:17:21 +00:00
Philip Withnall
a2e38fd28e gsocket: Use gsize to track native sockaddr’s size
Don’t use an `int`, that’s potentially too small. In practical terms,
this is not a problem, since no socket address is going to be that big.

By making these changes we can use `g_memdup2()` without warnings,
though. Fewer warnings is good.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
Helps: #2319
2021-02-04 16:17:21 +00:00
Philip Withnall
7781a9cbd2 gkeyfilesettingsbackend: Handle long keys when converting paths
Previously, the code in `convert_path()` could not handle keys longer
than `G_MAXINT`, and would overflow if that was exceeded.

Convert the code to use `gsize` and `g_memdup2()` throughout, and
change from identifying the position of the final slash in the string
using a signed offset `i`, to using a pointer to the character (and
`strrchr()`). This allows the slash to be at any position in a
`G_MAXSIZE`-long string, without sacrificing a bit of the offset for
indicating whether a slash was found.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
Helps: #2319
2021-02-04 16:17:21 +00:00
Philip Withnall
9acebef777 gwin32: Use gsize internally in g_wcsdup()
This allows it to handle strings up to length `G_MAXSIZE` — previously
it would overflow with such strings.

Update the several copies of it identically.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
Helps: #2319
2021-02-04 16:17:21 +00:00
Philip Withnall
41d5eedad4 gdatainputstream: Handle stop_chars_len internally as gsize
Previously it was handled as a `gssize`, which meant that if the
`stop_chars` string was longer than `G_MAXSSIZE` there would be an
overflow.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
Helps: #2319
2021-02-04 16:17:21 +00:00
Philip Withnall
81a454237d gwinhttpfile: Avoid arithmetic overflow when calculating a size
The members of `URL_COMPONENTS` (`winhttp_file->url`) are `DWORD`s, i.e.
32-bit unsigned integers. Adding to and multiplying them may cause them
to overflow the unsigned integer bounds, even if the result is passed to
`g_memdup2()` which accepts a `gsize`.

Cast the `URL_COMPONENTS` members to `gsize` first to ensure that the
arithmetic is done in terms of `gsize`s rather than unsigned integers.

Spotted by Sebastian Dröge.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
Helps: #2319
2021-02-04 16:17:21 +00:00
Philip Withnall
19470722b3 glib: Use g_memdup2() instead of g_memdup() in obvious places
Convert all the call sites which use `g_memdup()`’s length argument
trivially (for example, by passing a `sizeof()` or an existing `gsize`
variable), so that they use `g_memdup2()` instead.

In almost all of these cases the use of `g_memdup()` would not have
caused problems, but it will soon be deprecated, so best port away from
it

In particular, this fixes an overflow within `g_bytes_new()`, identified
as GHSL-2021-045 by GHSL team member Kevin Backhouse.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
Fixes: GHSL-2021-045
Helps: #2319
2021-02-04 16:04:10 +00:00
Philip Withnall
f10101b909 gobject: Use g_memdup2() instead of g_memdup() in obvious places
Convert all the call sites which use `g_memdup()`’s length argument
trivially (for example, by passing a `sizeof()`), so that they use
`g_memdup2()` instead.

In almost all of these cases the use of `g_memdup()` would not have
caused problems, but it will soon be deprecated, so best port away from
it.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
Helps: #2319
2021-02-04 14:13:21 +00:00
Philip Withnall
73b293fd30 gio: Use g_memdup2() instead of g_memdup() in obvious places
Convert all the call sites which use `g_memdup()`’s length argument
trivially (for example, by passing a `sizeof()`), so that they use
`g_memdup2()` instead.

In almost all of these cases the use of `g_memdup()` would not have
caused problems, but it will soon be deprecated, so best port away from
it.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
Helps: #2319
2021-02-04 14:13:21 +00:00
Philip Withnall
f8cf0b8672 gstrfuncs: Add g_memdup2() function
This will replace the existing `g_memdup()` function, which has an
unavoidable security flaw of taking its `byte_size` argument as a
`guint` rather than as a `gsize`. Most callers will expect it to be a
`gsize`, and may pass in large values which could silently be truncated,
resulting in an undersize allocation compared to what the caller
expects.

This could lead to a classic buffer overflow vulnerability for many
callers of `g_memdup()`.

`g_memdup2()`, in comparison, takes its `byte_size` as a `gsize`.

Spotted by Kevin Backhouse of GHSL.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
Helps: GHSL-2021-045
Helps: #2319
2021-02-04 14:13:03 +00:00
Sebastian Dröge
e41a36784c Merge branch 'wip/sadiq/fix-memory-leak' into 'master'
gapplication: Fix a memory leak

See merge request GNOME/glib!1925
2021-02-04 13:40:28 +00:00
Mohammed Sadiq
a1203b3d3b gapplication: Fix a memory leak 2021-02-04 18:38:17 +05:30
Sebastian Dröge
8385664f47 Merge branch 'master' into 'master'
gdatetime: Add math library support

Closes #2314

See merge request GNOME/glib!1916
2021-02-04 08:03:22 +00:00
Sebastian Dröge
f67b12467b Merge branch 'atomic-take2' into 'master'
atomic: Fix type check of g_atomic_pointer_compare_and_exchange()

See merge request GNOME/glib!1919
2021-02-03 15:18:55 +00:00
Xavier Claessens
580b415ebd atomic: Fix type check of g_atomic_pointer_compare_and_exchange() 2021-02-03 09:37:04 -05:00
Xavier Claessens
7459bf9a19 Revert "atomic: Fix type error with clang++"
This reverts commit d95885d91e.
2021-02-03 09:37:04 -05:00
Philip Withnall
018ae0982c Merge branch 'wip/gdbus-even-when-setcap' into 'master'
Resolve GDBus regressions in setcap/setgid programs

Closes #2305

See merge request GNOME/glib!1920
2021-02-03 11:28:20 +00:00
Philip Withnall
ab46205db1 Merge branch 'carlosgc/uri-host-nullable' into 'master'
guri: Mark g_uri_get_host as nullable

See merge request GNOME/glib!1921
2021-02-03 09:59:29 +00:00
Carlos Garcia Campos
5221b6a261 guri: Mark g_uri_get_host as nullable
It's currently annotated as not nullable, but it can be NULL.
2021-02-03 09:47:30 +00:00
Prasanth R
62fc437773 gdatetime: Add math library support
W.r.to c3805d74b uClibc fails in linking
Fixes #2314
2021-02-03 14:09:10 +05:30
Simon McVittie
7aa0580cc5 gdbus: Use DBUS_SESSION_BUS_ADDRESS if AT_SECURE but not setuid
This is against my better judgement, but it's the least bad regression
fix I can think of. If we don't do this, at least gnome-keyring-daemon
(setcap) and msmtp (setgid) are known to regress.

Resolves: https://gitlab.gnome.org/GNOME/glib/-/issues/2305
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=981420
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=981555
Signed-off-by: Simon McVittie <smcv@collabora.com>
2021-02-02 20:52:19 +00:00
Simon McVittie
6436d52a0a gdbus: Rename a variable to be less misleading
We're using "setuid" here as shorthand for any elevated privileges
that should make us distrust the caller: setuid, setgid, filesystem
capabilities, more obscure Linux things that set the AT_SECURE flag
(such as certain AppArmor transitions), and their equivalents on
other operating systems. This is fine if we do it consistently, but
I'm about to add a check for whether we are *literally* setuid,
which would be particularly confusing without a rename.

Signed-off-by: Simon McVittie <smcv@collabora.com>
2021-02-02 20:38:41 +00:00
Sebastian Dröge
7e958fd1fe Merge branch 'fix_more_warnings' into 'master'
Fix more warnings

See merge request GNOME/glib!1911
2021-02-02 16:11:53 +00:00
Emmanuel Fleury
ccb43b3821 Fix signedness warnings in gio/ghttpproxy.c:g_http_proxy_connect()
gio/ghttpproxy.c: In function ‘g_http_proxy_connect’:
gio/ghttpproxy.c:245:17: error: comparison of integer expressions of different signedness: ‘gsize’ {aka ‘long unsigned int’} and ‘int’
  245 |       if (nread == -1)
      |                 ^~
gio/ghttpproxy.c:253:22: error: comparison of integer expressions of different signedness: ‘gssize’ {aka ‘long int’} and ‘gsize’ {aka ‘long unsigned int’}
  253 |       if (bytes_read == buffer_length)
      |                      ^~
2021-02-02 16:31:07 +01:00
Sebastian Dröge
e38982df4b Merge branch 'atomic-typeof' into 'master'
Define glib_typeof with C++11 decltype()

Closes #2226

See merge request GNOME/glib!1715
2021-02-02 10:51:50 +00:00
Sebastian Dröge
e6f506a92c Merge branch 'fix/unix-stream-pollable-detection' into 'master'
gunix: Fix {Input,Output}Stream pollable detection

Closes #1180

See merge request GNOME/glib!1846
2021-02-02 10:46:52 +00:00
Philip Withnall
94007bbcb7 Merge branch 'key-file-get-comment-nullable' into 'master'
Mark g_key_file_get_comment() key parameter as nullable

See merge request GNOME/glib!1915
2021-02-02 10:36:56 +00:00
Simon McVittie
7c0b9c776f gdbus: Improve readability by avoiding ternary operator
Signed-off-by: Simon McVittie <smcv@collabora.com>
2021-02-02 10:25:40 +00:00
Ole André Vadla Ravnås
d7ee70c013 gunix: Fix {Input,Output}Stream pollable detection
For devices such as PTYs, where not being able to cancel a pending read
operation is problematic for many applications.

Fixes: #1180
2021-02-02 11:11:53 +01:00
Sebastian Dröge
02fbe86e07 Mark g_key_file_get_comment() key parameter as nullable
It will return the comment above the group (or at the top of the file)
then according to the documentation.
2021-02-02 10:14:57 +02:00
Philip Withnall
6cca256526 Merge branch 'wip/avoid-searching-path' into 'master'
spawn: Don't set a search path if we don't want to search PATH

See merge request GNOME/glib!1902
2021-02-01 11:58:51 +00:00
Simon McVittie
07bf886cf3 Merge branch 'wip/smcv/address-sanitizer' into 'master'
Start to ignore known leaks under AddressSanitizer

See merge request GNOME/glib!1905
2021-02-01 11:32:56 +00:00
Simon McVittie
f378352051 tests: Mark tests with AddressSanitizer-detected leaks
Various tests have leaks where it isn't clear whether the data is
intentionally not freed, or leaked due to a bug. If we mark these
tests as TODO, we can skip them under AddressSanitizer and get the
rest to pass, giving us a baseline from which to avoid regressions.

Signed-off-by: Simon McVittie <smcv@collabora.com>
2021-02-01 11:19:59 +00:00
Simon McVittie
41ed1c6d5d gutils: Tell AddressSanitizer not to track previous XDG directories
We reset these in some unit tests, and must deliberately leak them to
avoid having to break API.

Signed-off-by: Simon McVittie <smcv@collabora.com>
2021-02-01 10:44:35 +00:00
Simon McVittie
023793071b glib-private: Add wrappers for telling AddressSanitizer to ignore leaks
Signed-off-by: Simon McVittie <smcv@collabora.com>
2021-02-01 10:44:35 +00:00
Simon McVittie
9fef98cf84 gtestutils: Default to -m no-undefined under AddressSanitizer
AddressSanitizer detects memory leaks, NULL parameters where only a
non-NULL parameter is expected, and other suspicious behaviour, so if
we try to test that sort of thing we can expect it to fail.

Signed-off-by: Simon McVittie <smcv@collabora.com>
2021-02-01 10:44:35 +00:00
Simon McVittie
98804781ce glib-private: Add infrastructure to detect AddressSanitizer
Signed-off-by: Simon McVittie <smcv@collabora.com>
2021-02-01 10:44:35 +00:00
Simon McVittie
5685546ab1 gio: Don't run gsocketclient-slow test under sanitizers
AddressSanitizer, UndefinedBehaviourSanitizer and probably others
involve adding instrumentation into the code under test, which doesn't
go well with LD_PRELOAD modules that absolutely need to be
self-contained.

Signed-off-by: Simon McVittie <smcv@collabora.com>
2021-02-01 10:44:35 +00:00
Simon McVittie
def3e33c36 error test: Don't test programmer error if asked not to
Signed-off-by: Simon McVittie <smcv@collabora.com>
2021-02-01 10:44:35 +00:00
Emmanuel Fleury
2fd429046d Fix several missing initializer warnings in gio/gapplication.c:g_application_parse_command_line()
gio/gapplication.c: In function ‘g_application_parse_command_line’:
gio/gapplication.c:545:11: error: missing initializer for field ‘arg_description’ of ‘GOptionEntry’ {aka ‘struct _GOptionEntry’}
  545 |           N_("Enter GApplication service mode (use from D-Bus service files)") },
      |           ^~
gio/gapplication.c:557:11: error: missing initializer for field ‘arg_description’ of ‘GOptionEntry’ {aka ‘struct _GOptionEntry’}
  557 |           N_("Override the application’s ID") },
      |           ^~
gio/gapplication.c:569:11: error: missing initializer for field ‘arg_description’ of ‘GOptionEntry’ {aka ‘struct _GOptionEntry’}
  569 |           N_("Replace the running instance") },
      |           ^~
2021-02-01 11:14:21 +01:00
Emmanuel Fleury
0cc48ee937 Fix missing initializer warning in gio/gdbusobjectmanagerserver.c
gio/gdbusobjectmanagerserver.c:892:1: error: missing initializer for field ‘padding’ of ‘GDBusInterfaceVTable’ {aka ‘const struct _GDBusInterfaceVTable’}
  892 | };
      | ^
2021-02-01 11:14:21 +01:00
Emmanuel Fleury
68e69a4128 Fix missing initializer warning in gio/gdbusconnection.c:g_dbus_connection_register_object_with_closures()
gio/gdbusconnection.c: In function ‘g_dbus_connection_register_object_with_closures’:
gio/gdbusconnection.c:5527:5: error: missing initializer for field ‘padding’ of ‘GDBusInterfaceVTable’ {aka ‘struct _GDBusInterfaceVTable’}
 5527 |     };
      |     ^
2021-02-01 11:14:21 +01:00
Emmanuel Fleury
80fa64d974 Fix missing initializer warning in gio/gdelayedsettingsbackend.c:delayed_backend_path_writable_changed()
gio/gdelayedsettingsbackend.c: In function ‘delayed_backend_path_writable_changed’:
gio/gdelayedsettingsbackend.c:406:7: error: missing initializer for field ‘index’ of ‘CheckPrefixState’
  406 |       CheckPrefixState state = { path, g_new (const gchar *, n_keys) };
      |       ^~~~~~~~~~~~~~~~
2021-02-01 11:14:21 +01:00
Sebastian Dröge
c07f8a70dc Merge branch 'th/gsignal-cleanup' into 'master'
[th/gsignal-cleanup] minor changes to GSignal related code

See merge request GNOME/glib!1900
2021-02-01 09:07:51 +00:00
Thomas Haller
8416211231 gsignal: use g_clear_signal_handler() macro to implement g_clear_signal_handler() function
We have a "good" implementation of g_clear_signal_handler() in
form of a macro. Use it, and don't duplicate the code.

Also add a comment to the documentation that "instance" in fact must
not point to a valid GObject instance -- if the handler ID is unset.

Also reword the documentation about the reasoning for why a macro
version exists. The reason is not to use the function "without
pointer cast". I don't think the non-macro version requires any
pointer cast, since "instance" is a void pointer. Was this referring
to the handler_id_ptr? That doesn't seem right either, because the
caller should always provide a "gulong *" pointer and nothing else.
2021-02-01 09:45:46 +01:00
Thomas Haller
7777f3bdbe gsignal: let g_clear_signal_handler() evaluate argument only once
Preferably macros behave function-like to minimize surprises. That
means for example that they evaluate all arguments exactly once.

Rework g_clear_signal_handler() to assign the macro parameters
to auto variables so they are accessed exactly once.

Also, drop the static assert for the size of (*handler_id_ptr).
As we now assign to a "gulong *" pointer, the compiler already
checks the types. In fact, the check is now stricter than before.
Previously it would have allowed a pointer to a "signed long".
This is a change in behavior of the macro and the stricter compile
check could cause a build failure with broken code.

Also, clear the handler id first, before calling
g_signal_handler_disconnect(). Disconnecting a signal invokes the
destroy notify, which can have side effects. It just feels cleaner
to first reset the *_handler_id_ptr, before those side effects
can happen. Of course, in practice it makes little difference.
2021-02-01 09:45:16 +01:00
Thomas Haller
cc4ffe4742 gsignal: use stack allocate temporary buffer in g_signal_new_valist()
g_signal_new_valist() is called by g_signal_new(), which is probably
the most common way to create a signal.

Also, in almost all cases is the number of signal parameters small.

Let's optimize for that by using a stack allocated buffer if we have
few parameters.
2021-02-01 09:43:29 +01:00
Simon McVittie
a85c126602 Expand test coverage for G_SPAWN_SEARCH_PATH
Signed-off-by: Simon McVittie <smcv@collabora.com>
2021-01-31 14:15:37 +00:00