Commit Graph

30819 Commits

Author SHA1 Message Date
Christian Hergert
49bfa7b9cf gvarianttype: mark const functions as such
These functions only rely on their input parameter and no globals, thus
are candidates for sub-expression elimination.
2024-09-24 10:59:20 -07:00
Philip Withnall
84b6f747cb Merge branch 'socks4a-buffer-overflow' into 'main'
gsocks4aproxy: Fix a single byte buffer overflow in connect messages

Closes #3461

See merge request GNOME/glib!4281
2024-09-19 20:21:05 +00:00
Michael Catanzaro
25833cefda gsocks4aproxy: Fix a single byte buffer overflow in connect messages
`SOCKS4_CONN_MSG_LEN` failed to account for the length of the final nul
byte in the connect message, which is an addition in SOCKSv4a vs
SOCKSv4.

This means that the buffer for building and transmitting the connect
message could be overflowed if the username and hostname are both
`SOCKS4_MAX_LEN` (255) bytes long.

Proxy configurations are normally statically configured, so the username
is very unlikely to be near its maximum length, and hence this overflow
is unlikely to be triggered in practice.

(Commit message by Philip Withnall, diagnosis and fix by Michael
Catanzaro.)

Fixes: #3461
2024-09-19 21:08:15 +01:00
Michael Catanzaro
60aa29df19 Merge branch 'mcatanzaro/#3469' into 'main'
gvariant-parser: add assert to ensure we don't write too far

Closes #3469

See merge request GNOME/glib!4280
2024-09-19 17:38:40 +00:00
Philip Withnall
2842e4a86f
gvariant-parser: Assert that pattern lengths don’t overflow
I can’t see it being possible for this to be hit in practice, as it
would require two very long GVariant text format inputs, which would
probably hit input limits earlier on somewhere else.

But in order to avoid a silent integer overflow, let’s check that the
addition won’t overflow before going ahead with it.

Signed-off-by: Philip Withnall <pwithnall@gnome.org>

Helps: #3469
2024-09-19 17:49:10 +01:00
Philip Withnall
785b61cfcb
gvariant-parser: Add additional buffer byte for nul terminator
In `pattern_coalesce()`.

I am fairly sure this byte is never needed, as the most extreme case of
`max (strlen (left), strlen (right)` vs `strlen (left) + strlen (right)`
I can think of still gives 1 byte left in the buffer (without the need
for this commit).

However, the proof we have of how much space is needed in the buffer
only goes far enough to show that the number of bytes needed before the
nul terminator is at most `strlen (left) + strlen (right)`. That means
we still technically need to add an additional byte for the nul
terminator.

The need for this could be eliminated by coming up with a stronger proof
to show that the number of bytes needed is strictly less than `strlen
(left) + strlen (right)`, but I can’t do that, and adding one byte is
easy to do. Type strings are short and we’re nowhere near making a large
allocation here.

Signed-off-by: Philip Withnall <pwithnall@gnome.org>

Helps: #3469
2024-09-19 17:44:28 +01:00
Philip Withnall
c7e3512902
tests: Add some additional pattern_coalesce() tests
The first of these tests is to cover the extreme case where the number
of bytes written out by `pattern_coalesce()` is as close to `strlen
(left) + strlen (right)` as we can manage, due to both inputs being
really small and hence `max (strlen (left), strlen (right))` being only
1 less than `strlen (left) + strlen (right)`, which is as close as we
can get to triggering an off-by-one error.

The second of these tests is an attempt to encode the case used in the
proof for correctness of `pattern_coalesce()` not overflowing its buffer
bounds: `(*(iii)) + ((iii)*) = ((iii)(iii))`. I don’t think it’s
actually possible to hit that case, as it’s not possible to generate a
plain `*` in either of the input patterns. `Ma*` is the best we can
manage in practice. See
https://gitlab.gnome.org/GNOME/glib/-/issues/3469#note_2226901 for
reasoning.

Signed-off-by: Philip Withnall <pwithnall@gnome.org>

Helps: #3469
2024-09-19 17:40:45 +01:00
Philip Withnall
1cb682b320
tests: Fix a minor typo in a comment in gvariant tests
Signed-off-by: Philip Withnall <pwithnall@gnome.org>
2024-09-19 17:40:24 +01:00
Philip Withnall
3d5ada2689
gvariant-parser: Add a proof for pattern_coalesce()’s safety
This proof backs up the already-present assertion that “the length of
the output is loosely bounded by the sum of the input lengths”.

Signed-off-by: Philip Withnall <pwithnall@gnome.org>

Helps: #3469
2024-09-19 16:35:27 +01:00
Michael Catanzaro
7f4300c5da gvariant-parser: add assert to ensure we don't write too far
This function is complicated and it's hard to assess whether it is
correct or not, so let's add an assert just to be sure.

Notably, when writing this I initially had an off-by-one error in my
assert, causing the assertion to actually fire when running the unit
tests. So we know it's definitely possible for the function to use the
entirety of the buffer. The upper bound is not loose, and writing one
additional byte would be a security bug.

Note my assertion possibly doesn't protect against security issues
because it will be hit after the bad write rather than before.

Fixes #3469
2024-09-19 09:59:13 -05:00
Philip Withnall
1adc303f47 Merge branch 'inotify-kqueue' into 'main'
Introduce a new GFileMonitor backend: libinotify-kqueue

See merge request GNOME/glib!3657
2024-09-19 10:13:33 +00:00
Gleb Popov
30dfc99c94 inotify: Optimize consecutive g_hash_table_{lookup,remove} calls 2024-09-19 10:55:39 +03:00
Gleb Popov
697118dfd5 Adapt testfilemonitor.c for libinotify-kqueue backend
The backend mimics inotify but is still subject to kevent idionsyncracies.
2024-09-19 09:55:01 +03:00
Gleb Popov
7460faf861 giomodule: Adapt to the GFileMintor backend selection changes
Instead of relying on some headers/functions presence, the buildsystem now
tells us what backend we're using.
2024-09-19 09:55:01 +03:00
Gleb Popov
dae3b8bd15 Introduce a special mode of operating for the inotify GFileMonitor backend
libinotify-kqueue is a library that implements inotify interface in terms of
kqueue/kevent API available on Mac OS and *BSD systems. The original kqueue
backend seems to be a predecessor version of the code that is currently present
in libinotify-kqueue. Under the hood the library implements a sophisticated
filesystem changes detection algorithm that is derived from the glib backend
code.

Updating the native glib kqueue backend requires substantial work, because code
bases have diverged greatly. Another approach is taken, instead. libinotify-kqueue
can serve as a drop-in replacement for Linux inotify API, thus allowing to
reuse the inotify backend code. The compatibility, however, comes at cost, since
the library has to emulate the inotify descriptor via an unix domain socket.
This means that delivering an event involves copying the data into the kernel
and then pulling it back.

The recent libinotify-kqueue release adds a new mode of operation called "direct".
In this mode the socket pipe is replaced with another kqueue that is used to
deliver events via a kevent(EVFILT_USER) call.
Employing the direct mode requires minor changes to the client code compared
to using plain inotify API, but in return it allows for reusing libinotify's
algorithms without a performance penalty. Luckily, all required changes are
consolidated in one file called inotify-kernel.c

This puts us in the best of possible worlds. On one hand we share a lot of code
with glib inotify backend, which is far more thoroughly tested and widely used.
On the other we support a range of non-Linux systems and consolidate the business
logic in one library. I plan to do the same trick for QFileSystemWatcher which
will give us the same behaviour between Gtk and Qt applications.

The glib test suite passes for both old kqueue backend and new libinotify-kqueue
one. However, the AppStream FileMonitor tests are failing with the old backend,
but pass with the new one, so this is still an observable improvement.

Relevant libinotify-kqueue PR: https://github.com/libinotify-kqueue/libinotify-kqueue/pull/19
2024-09-19 09:54:56 +03:00
Philip Withnall
5948a76f43 Merge branch 'wip/smcv/gdbus-silence-cross-ns' into 'main'
GDBus: Don't log a message for G_DBUS_CONNECTION_FLAGS_CROSS_NAMESPACE

See merge request GNOME/glib!4278
2024-09-18 20:57:55 +00:00
Philip Withnall
c57544dee9 Merge branch 'mcatanzaro/sast' into 'main'
Fix minor issues found by static analysis, and add some additional code comments

See merge request GNOME/glib!4204
2024-09-18 14:37:08 +00:00
Simon McVittie
cb185c22bc GDBus: Don't log a message for G_DBUS_CONNECTION_FLAGS_CROSS_NAMESPACE
This was intended to make it feasible to debug connection failures where
a modern GDBus client connects to a GDBusServer that is missing
glib!2826, but those GDBusServers should be increasingly rare: we have
had the fixed version of GDBusServer for 5 GNOME stable releases
(2 years), long enough to get into stable releases of Debian and Ubuntu
and a service-pack release of SUSE.

This debug message can be very noisy, especially when unit-testing
GLib code (which is frequently done with G_MESSAGES_DEBUG=all) or when
a third-party GLogFunc ignores the log_level parameter and logs all
messages as though they indicated a serious problem. I think it has
served its purpose now.

Signed-off-by: Simon McVittie <smcv@collabora.com>
2024-09-18 14:04:09 +01:00
Simon McVittie
f1140eceb7 GDBus: Note distros whose GDBusServers require an initial response
Ideally, we would eventually move to always using the
cross-namespace-friendly authentication handshake and never sending an
initial response with the Unix uid or Windows SID, but that's blocked
on waiting for various LTS OS distributions to become unsupported or
otherwise irrelevant. Make a note of some major LTS distributions that
still have an old version that is missing glib!2826.

In the RHEL/CentOS family, CentOS Stream 10 has a fixed version, so
presumably RHEL 10 will have a fixed version when it is released.

In the Debian family, Debian 12 and Ubuntu 24.04 are stable releases
that contain a fixed version.

In the SUSE family, openSUSE 15.6 contains a fixed version, so
presumably so does SLES 15.6.

Faster-moving distributions like Fedora are not a concern here and
can be ignored: it's always the slow-moving and/or LTS distributions
that are going to be holding back interoperability breaks.

Signed-off-by: Simon McVittie <smcv@collabora.com>
2024-09-18 13:57:22 +01:00
Gleb Popov
c7e2ae30f0 Add Meson option that allows selecting GFileMonitor's backend implementation
The option defaults to 'auto' which keeps the current selection behavior, but
also allows user to override the choice.

Also make the chosen backend is reported to the code via CPP defines.
2024-09-18 12:01:27 +03:00
Michael Catanzaro
7c6b11df2d giochannel: ensure line terminator remains nul-terminated if needed
If the user passes -1 length to g_io_channel_set_line_term() along with
a nul-terminated string, then calls g_io_channel_get_line_term() and
decides to treat the result as nul-terminated rather than checking the
length parameter, then the application will have a problem, because it's
not nul-terminated. That's weird, since the input string was. Let's
ensure the result is consistent: if you pass a nul-terminated string,
the result is nul-terminated. If not, it's not.

Also add a warning to g_io_channel_get_line_term(), since it's very
strange for a gchar * return value to be anything other than a
nul-terminated UTF-8 string. This is an API design bug, but we cannot
fix it.
2024-09-18 01:48:36 +01:00
Michael Catanzaro
a893d622c0 gdatetime: fix double free in format parser
If %#Z is followed by %Z then we accidentally free the tmp variable from
the previous iteration of the loop a second time. Good job to the static
analysis tool (probably Coverity) that found this.

Fortunately it's unlikely that a realistic application would do this.

I've also added a new test that crashes without the fix
2024-09-18 01:48:36 +01:00
Michael Catanzaro
1196ac7af6 gutils: Fix unlikely minor leaks in xdg directory functions
We leak if we have a non-null empty string. This was already fixed for
g_build_user_data_dir() in 1a979ab494
so now fix the others as well.
2024-09-18 01:48:36 +01:00
Michael Catanzaro
f64d4aad6e gvariant-parser: add some comments
I just spent several hours convinced that there was a memory safety
issue in string_parse() and bytestring_parse(). There isn't. (At least,
I think so.) Add some comments to save the next person some time.
2024-09-18 01:48:36 +01:00
Michael Catanzaro
343081becc ggettext: add some comments
Coverity has improperly flagged this code as an instance of CWE-562. The
code is fine, but it's confusing, and humans are likely to wind up
examining it again in the future, so add some comments to explain what's
up.
2024-09-18 01:48:36 +01:00
Michael Catanzaro
12fcbcfa41 gibaseinfo: fully initialize GTypeInfo before registering it 2024-09-18 01:48:36 +01:00
Michael Catanzaro
3936eaaa39 Merge branch 'wip/pwithnall/wfloat-conversion-macos' into 'main'
tests: Add some explicit float → int casts

See merge request GNOME/glib!4277
2024-09-18 00:09:20 +00:00
Philip Withnall
9cb0e9464e
gapplication: Fix a -Wfloat-conversion warning
This introduces no functional changes, but does squash a false positive
warning from `-Wfloat-conversion`:
```
../gio/gapplication.c:462:15: error: implicit conversion turns floating-point number into integer: 'gdouble' (aka 'double') to '_Bool' [-Werror,-Wfloat-conversion]
          if (*(gdouble *) entry->arg_data)
          ~~  ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
1 error generated.
```

Signed-off-by: Philip Withnall <pwithnall@gnome.org>
2024-09-17 23:55:02 +01:00
Philip Withnall
e888e7d497
tests: Add some explicit float → int casts
This avoids some false positive warnings from `-Wfloat-conversion`.

Signed-off-by: Philip Withnall <pwithnall@gnome.org>
2024-09-17 23:54:55 +01:00
Philip Withnall
7a7d8d548a Merge branch 'wfloat-conversion' into 'main'
build: Enable -Wfloat-conversion and fix warnings

See merge request GNOME/glib!4126
2024-09-17 17:57:11 +00:00
Philip Withnall
99c749f4ec Merge branch 'resource-docs' into 'main'
gresource: Convert docs to gi-docgen linking syntax

See merge request GNOME/glib!4243
2024-09-17 13:46:10 +00:00
Philip Withnall
5197d2856c
gresource: Convert docs to gi-docgen linking syntax
Signed-off-by: Philip Withnall <pwithnall@gnome.org>

Helps: #3250
2024-09-17 14:37:00 +01:00
Philip Withnall
acd4a78173 Merge branch '3465-gresource-error-allocations' into 'main'
gresource: Reduce allocations in g_resources_*() functions

Closes #3465

See merge request GNOME/glib!4242
2024-09-17 13:34:06 +00:00
Philip Withnall
cf0a969101 Merge branch 'wip/pwithnall/3458-scan-build' into 'main'
ci: Fix subproject initialisation for scan-build and coverity

Closes #3458

See merge request GNOME/glib!4273
2024-09-13 15:24:32 +00:00
Philip Withnall
6d408ea76e Merge branch 'macos_arm' into 'main'
Move macOS CI to Apple Silicon runner

Closes #3289

See merge request GNOME/glib!3965
2024-09-12 22:28:10 +00:00
Philip Withnall
683cf0a1ba
tests: Fix a scan-build warning about uninitialised variables
It’s a false positive, but points to a slightly unnecessary use of a
global variable to store something which could be computed per-test.

scan-build thought that arrays of size `n_handlers` could have
uninitialised values accessed in them if `n_handlers` were to change
value part-way through a test (which it didn’t).

Signed-off-by: Philip Withnall <pwithnall@gnome.org>
2024-09-12 23:25:06 +01:00
Philip Withnall
a0f124e67c
ci: Ignore files in meson-private in scan-build runs
These are typically files generated by the gobject-introspection dumper,
which we don’t want to scan as they are not part of GLib’s runtime code.

For example:
```
/builds/GNOME/glib/_scan_build/meson-private/tmpr3jwvyib/tmp-introspect5dmnb_je/GObject-2.0.c:799:27: warning: Access to field 'message' results in a dereference of a null pointer (loaded from variable 'error') [core.NullDereference]
  799 |       g_printerr ("%s\n", error->message);
      |                           ^~~~~~~~~~~~~~
1 warning generated.
```

Signed-off-by: Philip Withnall <pwithnall@gnome.org>
2024-09-12 23:24:59 +01:00
Philip Withnall
d6be962af9
ci: Fix subproject initialisation for scan-build and coverity
Fixes commit 93271385f9.

Previously the `before_script` from `.build-linux` was used in whole for
these two jobs, but since the `.build-gobject-introspection` template
was also added, the `before_script`s from the two templates need to be
explicitly combined.

Signed-off-by: Philip Withnall <pwithnall@gnome.org>

Fixes: #3458
2024-09-12 23:24:53 +01:00
Philip Withnall
765d199b3a Merge branch 'main' into 'main'
Update Georgian translation

See merge request GNOME/glib!4267
2024-09-12 22:23:46 +00:00
Philip Withnall
8ef85992e0 ci: Re-add contextual links for a FIXME message
To avoid people having to do git archaeology in future to work out why `--wrap-mode=nodownload` is such a good idea.
2024-09-12 22:05:41 +00:00
Philip Withnall
744cdd0f0d Merge branch 'avoid-resource-allocation' into 'main'
resource: Add g_resource[s]_has_children and avoid a pointless allocation

See merge request GNOME/glib!4245
2024-09-12 22:04:39 +00:00
Philip Withnall
b5cab7c6b9
tests: Add g_resource_has_children() test for empty path
To get the code branch coverage up to 100% because it’s not that hard.

Signed-off-by: Philip Withnall <pwithnall@gnome.org>
2024-09-12 22:53:26 +01:00
René de Hesselle
f9b7898fb7 Move to Apple Silicon based runner
Remove cmake as we no longer need to build ninja. We can use the
official wheel now since the runner's Python is 3.9 (before: 3.8).

Use the same comment regarding '--wrap-mode' as in the other jobs.

Download and use official ccache binary.

Add myself to the 'only' section in .gitlab-ci.yml so I can have
CI in my fork.

Disable a few deprecation warnings due to the much newer SDK of
the Apple Silicon machine.
2024-09-12 23:17:23 +02:00
Philip Withnall
6c80db2c24
ci: Force submodules to be fetched first in VS2017 CI jobs
No idea why this is now suddenly not working.

Signed-off-by: Philip Withnall <pwithnall@gnome.org>
2024-09-12 21:40:41 +01:00
Matthias Clasen
46fdbb43fa resourcefile: Avoid an allocation
Instead of enumerating the children only to throw them away,
use the new g_resources_has_children() api.
2024-09-12 21:15:55 +01:00
Matthias Clasen
a14241c895 resource: Add g_resource[s]_has_children
These functions avoid allocating the children array when it is
not needed.
2024-09-12 21:15:55 +01:00
Matthias Clasen
cb5209282b resource: Small refactoring
Break out a helper function so we can reuse it in the next commit.
2024-09-12 21:15:55 +01:00
Philip Withnall
0134888d50
build: Bump gvdb subproject dependency and disable tests
This brings in https://gitlab.gnome.org/GNOME/gvdb/-/merge_requests/23,
which is needed for the following few commits.

Unfortunately, one of the other commits it brings in introduces a
sort-of-dependency-loop between GIO and GVDB. To avoid that, we have
to disable the GVDB tests. See
https://gitlab.gnome.org/GNOME/gvdb/-/merge_requests/25 for details.

Signed-off-by: Philip Withnall <pwithnall@gnome.org>
2024-09-12 21:15:42 +01:00
Philip Withnall
ebdfcf15bf Merge branch 'meson' into 'main'
build: Bump Meson dependency to 1.4.0

See merge request GNOME/glib!4244
2024-09-12 19:06:19 +00:00
Benjamin Gilbert
b2342b1e0c subprojects: Update zlib to 1.3.1
Bug fixes and a security fix for CVE-2022-37434.
2024-09-12 19:15:34 +01:00