Commit Graph

23220 Commits

Author SHA1 Message Date
Philip Withnall
5bc9710fa6 2.67.3
Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
2021-02-04 18:07:19 +00:00
Philip Withnall
feff097f27 gstrfuncs: Deprecate g_memdup() in favour of g_memdup2()
Unfortunately, `g_memdup()` accepts its size argument as a `guint`,
unlike most other functions which deal with memory sizes — they all use
`gsize`. `gsize` is 64 bits on 64-bit machines, while `guint` is only 32
bits. This can lead to a silent (with default compiler warnings)
truncation of the value provided by the caller. For large values, this
will result in the returned heap allocation being significantly smaller
than the caller expects, which will then lead to buffer overflow
reads/writes.

Any code using `g_memdup()` should immediately port to `g_memdup2()` and
check the pointer arithmetic around their call site to ensure there
aren’t other overflows.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
Fixes: #2319
2021-02-04 17:34:03 +00:00
Philip Withnall
20cfc75d14 Merge branch '2319-memdup' into 'master'
Add g_memdup2()

Closes #2319

See merge request GNOME/glib!1926
2021-02-04 17:12:36 +00:00
Philip Withnall
0cc11f745e giochannel: Forbid very long line terminator strings
The public API `GIOChannel.line_term_len` is only a `guint`. Ensure that
nul-terminated strings passed to `g_io_channel_set_line_term()` can’t
exceed that length. Use `g_memdup2()` to avoid a warning (`g_memdup()`
is due to be deprecated), but not to avoid a bug, since it’s also
limited to `G_MAXUINT`.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
Helps: #2319
2021-02-04 16:17:21 +00:00
Philip Withnall
a8b204ff9d gtlspassword: Forbid very long TLS passwords
The public API `g_tls_password_set_value_full()` (and the vfunc it
invokes) can only accept a `gssize` length. Ensure that nul-terminated
strings passed to `g_tls_password_set_value()` can’t exceed that length.
Use `g_memdup2()` to avoid an overflow if they’re longer than
`G_MAXUINT` similarly.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
Helps: #2319
2021-02-04 16:17:21 +00:00
Philip Withnall
a2e38fd28e gsocket: Use gsize to track native sockaddr’s size
Don’t use an `int`, that’s potentially too small. In practical terms,
this is not a problem, since no socket address is going to be that big.

By making these changes we can use `g_memdup2()` without warnings,
though. Fewer warnings is good.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
Helps: #2319
2021-02-04 16:17:21 +00:00
Philip Withnall
7781a9cbd2 gkeyfilesettingsbackend: Handle long keys when converting paths
Previously, the code in `convert_path()` could not handle keys longer
than `G_MAXINT`, and would overflow if that was exceeded.

Convert the code to use `gsize` and `g_memdup2()` throughout, and
change from identifying the position of the final slash in the string
using a signed offset `i`, to using a pointer to the character (and
`strrchr()`). This allows the slash to be at any position in a
`G_MAXSIZE`-long string, without sacrificing a bit of the offset for
indicating whether a slash was found.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
Helps: #2319
2021-02-04 16:17:21 +00:00
Philip Withnall
9acebef777 gwin32: Use gsize internally in g_wcsdup()
This allows it to handle strings up to length `G_MAXSIZE` — previously
it would overflow with such strings.

Update the several copies of it identically.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
Helps: #2319
2021-02-04 16:17:21 +00:00
Philip Withnall
41d5eedad4 gdatainputstream: Handle stop_chars_len internally as gsize
Previously it was handled as a `gssize`, which meant that if the
`stop_chars` string was longer than `G_MAXSSIZE` there would be an
overflow.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
Helps: #2319
2021-02-04 16:17:21 +00:00
Philip Withnall
81a454237d gwinhttpfile: Avoid arithmetic overflow when calculating a size
The members of `URL_COMPONENTS` (`winhttp_file->url`) are `DWORD`s, i.e.
32-bit unsigned integers. Adding to and multiplying them may cause them
to overflow the unsigned integer bounds, even if the result is passed to
`g_memdup2()` which accepts a `gsize`.

Cast the `URL_COMPONENTS` members to `gsize` first to ensure that the
arithmetic is done in terms of `gsize`s rather than unsigned integers.

Spotted by Sebastian Dröge.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
Helps: #2319
2021-02-04 16:17:21 +00:00
Philip Withnall
19470722b3 glib: Use g_memdup2() instead of g_memdup() in obvious places
Convert all the call sites which use `g_memdup()`’s length argument
trivially (for example, by passing a `sizeof()` or an existing `gsize`
variable), so that they use `g_memdup2()` instead.

In almost all of these cases the use of `g_memdup()` would not have
caused problems, but it will soon be deprecated, so best port away from
it

In particular, this fixes an overflow within `g_bytes_new()`, identified
as GHSL-2021-045 by GHSL team member Kevin Backhouse.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
Fixes: GHSL-2021-045
Helps: #2319
2021-02-04 16:04:10 +00:00
Philip Withnall
f10101b909 gobject: Use g_memdup2() instead of g_memdup() in obvious places
Convert all the call sites which use `g_memdup()`’s length argument
trivially (for example, by passing a `sizeof()`), so that they use
`g_memdup2()` instead.

In almost all of these cases the use of `g_memdup()` would not have
caused problems, but it will soon be deprecated, so best port away from
it.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
Helps: #2319
2021-02-04 14:13:21 +00:00
Philip Withnall
73b293fd30 gio: Use g_memdup2() instead of g_memdup() in obvious places
Convert all the call sites which use `g_memdup()`’s length argument
trivially (for example, by passing a `sizeof()`), so that they use
`g_memdup2()` instead.

In almost all of these cases the use of `g_memdup()` would not have
caused problems, but it will soon be deprecated, so best port away from
it.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
Helps: #2319
2021-02-04 14:13:21 +00:00
Philip Withnall
f8cf0b8672 gstrfuncs: Add g_memdup2() function
This will replace the existing `g_memdup()` function, which has an
unavoidable security flaw of taking its `byte_size` argument as a
`guint` rather than as a `gsize`. Most callers will expect it to be a
`gsize`, and may pass in large values which could silently be truncated,
resulting in an undersize allocation compared to what the caller
expects.

This could lead to a classic buffer overflow vulnerability for many
callers of `g_memdup()`.

`g_memdup2()`, in comparison, takes its `byte_size` as a `gsize`.

Spotted by Kevin Backhouse of GHSL.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
Helps: GHSL-2021-045
Helps: #2319
2021-02-04 14:13:03 +00:00
Sebastian Dröge
e41a36784c Merge branch 'wip/sadiq/fix-memory-leak' into 'master'
gapplication: Fix a memory leak

See merge request GNOME/glib!1925
2021-02-04 13:40:28 +00:00
Mohammed Sadiq
a1203b3d3b gapplication: Fix a memory leak 2021-02-04 18:38:17 +05:30
Sebastian Dröge
8385664f47 Merge branch 'master' into 'master'
gdatetime: Add math library support

Closes #2314

See merge request GNOME/glib!1916
2021-02-04 08:03:22 +00:00
Jan Kot
0b0fcfad11 Add support for Tilix and Konsole 2021-02-03 20:44:55 +01:00
Sebastian Dröge
f67b12467b Merge branch 'atomic-take2' into 'master'
atomic: Fix type check of g_atomic_pointer_compare_and_exchange()

See merge request GNOME/glib!1919
2021-02-03 15:18:55 +00:00
Xavier Claessens
580b415ebd atomic: Fix type check of g_atomic_pointer_compare_and_exchange() 2021-02-03 09:37:04 -05:00
Xavier Claessens
7459bf9a19 Revert "atomic: Fix type error with clang++"
This reverts commit d95885d91e.
2021-02-03 09:37:04 -05:00
Philip Withnall
018ae0982c Merge branch 'wip/gdbus-even-when-setcap' into 'master'
Resolve GDBus regressions in setcap/setgid programs

Closes #2305

See merge request GNOME/glib!1920
2021-02-03 11:28:20 +00:00
Philip Withnall
ab46205db1 Merge branch 'carlosgc/uri-host-nullable' into 'master'
guri: Mark g_uri_get_host as nullable

See merge request GNOME/glib!1921
2021-02-03 09:59:29 +00:00
Carlos Garcia Campos
5221b6a261 guri: Mark g_uri_get_host as nullable
It's currently annotated as not nullable, but it can be NULL.
2021-02-03 09:47:30 +00:00
Prasanth R
62fc437773 gdatetime: Add math library support
W.r.to c3805d74b uClibc fails in linking
Fixes #2314
2021-02-03 14:09:10 +05:30
Simon McVittie
7aa0580cc5 gdbus: Use DBUS_SESSION_BUS_ADDRESS if AT_SECURE but not setuid
This is against my better judgement, but it's the least bad regression
fix I can think of. If we don't do this, at least gnome-keyring-daemon
(setcap) and msmtp (setgid) are known to regress.

Resolves: https://gitlab.gnome.org/GNOME/glib/-/issues/2305
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=981420
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=981555
Signed-off-by: Simon McVittie <smcv@collabora.com>
2021-02-02 20:52:19 +00:00
Simon McVittie
6436d52a0a gdbus: Rename a variable to be less misleading
We're using "setuid" here as shorthand for any elevated privileges
that should make us distrust the caller: setuid, setgid, filesystem
capabilities, more obscure Linux things that set the AT_SECURE flag
(such as certain AppArmor transitions), and their equivalents on
other operating systems. This is fine if we do it consistently, but
I'm about to add a check for whether we are *literally* setuid,
which would be particularly confusing without a rename.

Signed-off-by: Simon McVittie <smcv@collabora.com>
2021-02-02 20:38:41 +00:00
Sebastian Dröge
7e958fd1fe Merge branch 'fix_more_warnings' into 'master'
Fix more warnings

See merge request GNOME/glib!1911
2021-02-02 16:11:53 +00:00
Emmanuel Fleury
ccb43b3821 Fix signedness warnings in gio/ghttpproxy.c:g_http_proxy_connect()
gio/ghttpproxy.c: In function ‘g_http_proxy_connect’:
gio/ghttpproxy.c:245:17: error: comparison of integer expressions of different signedness: ‘gsize’ {aka ‘long unsigned int’} and ‘int’
  245 |       if (nread == -1)
      |                 ^~
gio/ghttpproxy.c:253:22: error: comparison of integer expressions of different signedness: ‘gssize’ {aka ‘long int’} and ‘gsize’ {aka ‘long unsigned int’}
  253 |       if (bytes_read == buffer_length)
      |                      ^~
2021-02-02 16:31:07 +01:00
Sebastian Dröge
e38982df4b Merge branch 'atomic-typeof' into 'master'
Define glib_typeof with C++11 decltype()

Closes #2226

See merge request GNOME/glib!1715
2021-02-02 10:51:50 +00:00
Sebastian Dröge
e6f506a92c Merge branch 'fix/unix-stream-pollable-detection' into 'master'
gunix: Fix {Input,Output}Stream pollable detection

Closes #1180

See merge request GNOME/glib!1846
2021-02-02 10:46:52 +00:00
Philip Withnall
94007bbcb7 Merge branch 'key-file-get-comment-nullable' into 'master'
Mark g_key_file_get_comment() key parameter as nullable

See merge request GNOME/glib!1915
2021-02-02 10:36:56 +00:00
Simon McVittie
7c0b9c776f gdbus: Improve readability by avoiding ternary operator
Signed-off-by: Simon McVittie <smcv@collabora.com>
2021-02-02 10:25:40 +00:00
Ole André Vadla Ravnås
d7ee70c013 gunix: Fix {Input,Output}Stream pollable detection
For devices such as PTYs, where not being able to cancel a pending read
operation is problematic for many applications.

Fixes: #1180
2021-02-02 11:11:53 +01:00
Sebastian Dröge
02fbe86e07 Mark g_key_file_get_comment() key parameter as nullable
It will return the comment above the group (or at the top of the file)
then according to the documentation.
2021-02-02 10:14:57 +02:00
Philip Withnall
6cca256526 Merge branch 'wip/avoid-searching-path' into 'master'
spawn: Don't set a search path if we don't want to search PATH

See merge request GNOME/glib!1902
2021-02-01 11:58:51 +00:00
Simon McVittie
07bf886cf3 Merge branch 'wip/smcv/address-sanitizer' into 'master'
Start to ignore known leaks under AddressSanitizer

See merge request GNOME/glib!1905
2021-02-01 11:32:56 +00:00
Simon McVittie
f378352051 tests: Mark tests with AddressSanitizer-detected leaks
Various tests have leaks where it isn't clear whether the data is
intentionally not freed, or leaked due to a bug. If we mark these
tests as TODO, we can skip them under AddressSanitizer and get the
rest to pass, giving us a baseline from which to avoid regressions.

Signed-off-by: Simon McVittie <smcv@collabora.com>
2021-02-01 11:19:59 +00:00
Simon McVittie
41ed1c6d5d gutils: Tell AddressSanitizer not to track previous XDG directories
We reset these in some unit tests, and must deliberately leak them to
avoid having to break API.

Signed-off-by: Simon McVittie <smcv@collabora.com>
2021-02-01 10:44:35 +00:00
Simon McVittie
023793071b glib-private: Add wrappers for telling AddressSanitizer to ignore leaks
Signed-off-by: Simon McVittie <smcv@collabora.com>
2021-02-01 10:44:35 +00:00
Simon McVittie
9fef98cf84 gtestutils: Default to -m no-undefined under AddressSanitizer
AddressSanitizer detects memory leaks, NULL parameters where only a
non-NULL parameter is expected, and other suspicious behaviour, so if
we try to test that sort of thing we can expect it to fail.

Signed-off-by: Simon McVittie <smcv@collabora.com>
2021-02-01 10:44:35 +00:00
Simon McVittie
98804781ce glib-private: Add infrastructure to detect AddressSanitizer
Signed-off-by: Simon McVittie <smcv@collabora.com>
2021-02-01 10:44:35 +00:00
Simon McVittie
5685546ab1 gio: Don't run gsocketclient-slow test under sanitizers
AddressSanitizer, UndefinedBehaviourSanitizer and probably others
involve adding instrumentation into the code under test, which doesn't
go well with LD_PRELOAD modules that absolutely need to be
self-contained.

Signed-off-by: Simon McVittie <smcv@collabora.com>
2021-02-01 10:44:35 +00:00
Simon McVittie
def3e33c36 error test: Don't test programmer error if asked not to
Signed-off-by: Simon McVittie <smcv@collabora.com>
2021-02-01 10:44:35 +00:00
Emmanuel Fleury
2fd429046d Fix several missing initializer warnings in gio/gapplication.c:g_application_parse_command_line()
gio/gapplication.c: In function ‘g_application_parse_command_line’:
gio/gapplication.c:545:11: error: missing initializer for field ‘arg_description’ of ‘GOptionEntry’ {aka ‘struct _GOptionEntry’}
  545 |           N_("Enter GApplication service mode (use from D-Bus service files)") },
      |           ^~
gio/gapplication.c:557:11: error: missing initializer for field ‘arg_description’ of ‘GOptionEntry’ {aka ‘struct _GOptionEntry’}
  557 |           N_("Override the application’s ID") },
      |           ^~
gio/gapplication.c:569:11: error: missing initializer for field ‘arg_description’ of ‘GOptionEntry’ {aka ‘struct _GOptionEntry’}
  569 |           N_("Replace the running instance") },
      |           ^~
2021-02-01 11:14:21 +01:00
Emmanuel Fleury
0cc48ee937 Fix missing initializer warning in gio/gdbusobjectmanagerserver.c
gio/gdbusobjectmanagerserver.c:892:1: error: missing initializer for field ‘padding’ of ‘GDBusInterfaceVTable’ {aka ‘const struct _GDBusInterfaceVTable’}
  892 | };
      | ^
2021-02-01 11:14:21 +01:00
Emmanuel Fleury
68e69a4128 Fix missing initializer warning in gio/gdbusconnection.c:g_dbus_connection_register_object_with_closures()
gio/gdbusconnection.c: In function ‘g_dbus_connection_register_object_with_closures’:
gio/gdbusconnection.c:5527:5: error: missing initializer for field ‘padding’ of ‘GDBusInterfaceVTable’ {aka ‘struct _GDBusInterfaceVTable’}
 5527 |     };
      |     ^
2021-02-01 11:14:21 +01:00
Emmanuel Fleury
80fa64d974 Fix missing initializer warning in gio/gdelayedsettingsbackend.c:delayed_backend_path_writable_changed()
gio/gdelayedsettingsbackend.c: In function ‘delayed_backend_path_writable_changed’:
gio/gdelayedsettingsbackend.c:406:7: error: missing initializer for field ‘index’ of ‘CheckPrefixState’
  406 |       CheckPrefixState state = { path, g_new (const gchar *, n_keys) };
      |       ^~~~~~~~~~~~~~~~
2021-02-01 11:14:21 +01:00
Sebastian Dröge
c07f8a70dc Merge branch 'th/gsignal-cleanup' into 'master'
[th/gsignal-cleanup] minor changes to GSignal related code

See merge request GNOME/glib!1900
2021-02-01 09:07:51 +00:00
Thomas Haller
8416211231 gsignal: use g_clear_signal_handler() macro to implement g_clear_signal_handler() function
We have a "good" implementation of g_clear_signal_handler() in
form of a macro. Use it, and don't duplicate the code.

Also add a comment to the documentation that "instance" in fact must
not point to a valid GObject instance -- if the handler ID is unset.

Also reword the documentation about the reasoning for why a macro
version exists. The reason is not to use the function "without
pointer cast". I don't think the non-macro version requires any
pointer cast, since "instance" is a void pointer. Was this referring
to the handler_id_ptr? That doesn't seem right either, because the
caller should always provide a "gulong *" pointer and nothing else.
2021-02-01 09:45:46 +01:00