Commit Graph

30512 Commits

Author SHA1 Message Date
Simon McVittie
43c5af517c gdocumentportal: Treat more error codes as a permissions error
If the file to be added is on a read-only filesystem, opening read/write
will fail with EROFS. In this case we should fall back to opening it
read-only, the same way we already do if write access is forbidden by
DAC or MAC.

An easy way to reproduce this test failure is to build and test GLib
in a podman container, with its source code read-only and its build
directory read/write:

    podman run --rm -it \
    -v $(pwd):$(pwd):ro \
    -v $(pwd)/_build:$(pwd)/_build:rw \
    -w $(pwd) ...

Before this commit, the dbus-appinfo test would fail, because opening
${srcdir}/gio/tests/org.gtk.test.dbusappinfo.flatpak.desktop read/write
would fail with EROFS.

For completeness, give similar handling to the other error codes
documented in Linux open(2) that might succeed if re-attempted using
read-only access: according to that documentation, we could get EPERM
if opening read/write is prevented by fcntl F_ADD_SEALS, or ETXTBSY
if the file is an executable that is currently being run.

Signed-off-by: Simon McVittie <smcv@collabora.com>
2024-05-01 18:34:04 +01:00
Simon McVittie
8c533510ee gdocumentportal: Factor out opening_ro_might_succeed()
No functional change.

Signed-off-by: Simon McVittie <smcv@collabora.com>
2024-05-01 18:33:37 +01:00
Ray Strode
c7caf98646 Merge branch 'track-bus-name-owners-for-signal-subscriptions' into 'main'
Track bus name owners for signal subscriptions

See merge request GNOME/Security/glib!1
2024-05-01 13:34:40 +00:00
Simon McVittie
96e3190aef tests: Ensure that unsubscribing with GetNameOwner in-flight doesn't crash
This was a bug that existed during development of this branch; make sure
it doesn't come back.

This test fails with a use-after-free and crash if we comment out the
part of name_watcher_unref_watched_name() that removes the name watcher
from `map_method_serial_to_name_watcher`.

It would also fail with an assertion failure if we asserted in
name_watcher_unref_watched_name() that get_name_owner_serial == 0
(i.e. that GetNameOwner is not in-flight at destruction).

Signed-off-by: Simon McVittie <smcv@collabora.com>
2024-05-01 13:42:27 +01:00
Simon McVittie
f6d1b5471a tests: Add a test for signal filtering by well-known name
The vulnerability reported as GNOME/glib#3268 can be characterized
as: these signals from an attacker should not be delivered to either
the GDBusConnection or the GDBusProxy, but in fact they are (in at
least some scenarios).

Reproduces: https://gitlab.gnome.org/GNOME/glib/-/issues/3268
Signed-off-by: Simon McVittie <smcv@collabora.com>
2024-05-01 13:42:27 +01:00
Simon McVittie
fc0ee92072 tests: Add a test for matching by two well-known names
The expected result is that because TEST_CONN_SERVICE owns
ALREADY_OWNED_NAME but not (yet) OWNED_LATER_NAME, the signal will be
delivered to the subscriber for the former but not the latter.
Before #3268 was fixed, it was incorrectly delivered to both.

Reproduces: https://gitlab.gnome.org/GNOME/glib/-/issues/3268 (partially)
Signed-off-by: Simon McVittie <smcv@collabora.com>
2024-05-01 13:42:27 +01:00
Simon McVittie
d4b6537651 gdbusconnection: Don't deliver signals if the sender doesn't match
Otherwise a malicious connection on a shared bus, especially the system
bus, could trick GDBus clients into processing signals sent by the
malicious connection as though they had come from the real owner of a
well-known service name.

Resolves: https://gitlab.gnome.org/GNOME/glib/-/issues/3268
Signed-off-by: Simon McVittie <smcv@collabora.com>
2024-05-01 13:42:27 +01:00
Simon McVittie
683b14b981 gdbus: Track name owners for signal subscriptions
We will use this in a subsequent commit to prevent signals from an
impostor from being delivered to a subscriber.

To avoid message reordering leading to misleading situations, this does
not use the existing mechanism for watching bus name ownership, which
delivers the ownership changes to other main-contexts. Instead, it all
happens on the single thread used by the GDBusWorker, so the order in
which messages are received is the order in which they are processed.

Signed-off-by: Simon McVittie <smcv@collabora.com>
2024-05-01 13:27:24 +01:00
Marco Trevisan
4bd416f0ff Merge branch '3342-arg0-match-crash' into 'main'
gdbusconnection: Fix a crash on arg0 matching

Closes #3342

See merge request GNOME/glib!4028
2024-04-30 20:42:16 +00:00
Philip Withnall
fd93e12669
gdbusconnection: Fix a crash on arg0 matching
If a connection has two signal subscriptions active for the same signal,
one with arg0 matching and one without, a signal which doesn’t contain
an arg0 value (i.e. `g_dbus_message_get_arg0()` returns `NULL`) will
cause `NULL` to be passed to `strcmp()` when checking for a match
against the signal subscription which *has* arg0 matching, causing a
crash.

Fix that by adding the obvious `NULL` check, and add a unit test.

Signed-off-by: Philip Withnall <pwithnall@gnome.org>

Fixes: #3342
2024-04-30 18:33:57 +01:00
Philip Withnall
740f2ea489 Merge branch 'jsparber/dbus_multiple_parameters' into 'main'
GApplication: Allow multiple parameters for D-Bus activation

Closes #3333

See merge request GNOME/glib!4026
2024-04-30 13:46:31 +00:00
Leônidas Araújo
872927c307 Update Brazilian Portuguese translation
(cherry picked from commit 7b07b0e675)
2024-04-29 18:11:49 +00:00
Julian Sparber
0144feb41f GApplication: Allow multiple parameters for D-Bus activation
D-Bus Activation allows passing an array of parameters. Allow apps to
export actions that accept tuples to match the number of elements in the
parameters so the full potential of the D-Bus interface can be used.

Closes: https://gitlab.gnome.org/GNOME/glib/-/issues/3333
2024-04-29 16:30:36 +02:00
Yuri Chornoivan
5488829638 Update Ukrainian translation 2024-04-28 06:02:01 +00:00
Michael Catanzaro
202188c5bf Merge branch 'wip/pwithnall/datetime-non-literal-null-conversion' into 'main'
gdatetime: Fix string type used to initialise array

See merge request GNOME/glib!4024
2024-04-26 14:39:23 +00:00
Philip Withnall
e12e81a02d
gdatetime: Fix string type used to initialise array
This fixes commit 057f0fcbfb. I didn’t
notice that `tmp` is an array of strings, not an array of chars, and
somehow my compiler didn’t warn. Seems only the macOS CI job is spotting
the problem here.

Signed-off-by: Philip Withnall <pwithnall@gnome.org>
2024-04-26 10:28:47 +01:00
Philip Withnall
640ff0c4da Merge branch 'scan-build2-the-false-positives' into 'main'
Squash various false positives from scan-build

Closes #1767

See merge request GNOME/glib!4007
2024-04-25 23:55:35 +00:00
Philip Withnall
9fc63f93b4
gclosure: Delete old commented-out non-thread-safe code
Signed-off-by: Philip Withnall <pwithnall@gnome.org>
2024-04-26 00:21:15 +01:00
Philip Withnall
b1b8166a8a
ci: Make scan-build errors fatal in CI
\o/

Signed-off-by: Philip Withnall <pwithnall@gnome.org>

Fixes: #1767
2024-04-25 23:58:34 +01:00
Philip Withnall
b1bafda881
gvariant: Simplify GVariantType check in g_variant_format_string_scan_type()
Rather than returning through `G_VARIANT_TYPE`, which scan-build doesn’t
seem to fully understand ownership transfers through, just return `new`
directly, and do the `is_valid()` check separately.

The new code is equivalent to the old code, but squashes a scan-build
false positive around leaking `dest`. (See also: the previous commit.)

Signed-off-by: Philip Withnall <pwithnall@gnome.org>

Helps: #1767
2024-04-25 23:58:30 +01:00
Philip Withnall
156c1496ba
gvariant: Rework array iteration in g_variant_format_string_scan_type()
This introduces no functional changes. Switch from incrementing a
pointer to incrementing a counter and using array indexing.

This squashes a scan-build false positive, where it can’t choose which
of `dest` and `new` ‘own’ the newly allocated memory, so it kind of
assumes both do, and then warns there’s a potential leak of `dest` when
the function returns. In actual fact, ownership of the memory is
returned via `new`.

Partly this might be masked through use of the `G_VARIANT_TYPE` macro,
which the following commit will address.

Signed-off-by: Philip Withnall <pwithnall@gnome.org>

Helps: #1767
2024-04-25 23:58:23 +01:00
Philip Withnall
79be995c0c
gtimezone: Add a missing precondition assertion
Otherwise scan-build thinks there could be `NULL` pointer dereference of
the `tz`. (There can’t be, it’s a false positive. 🤫)

Signed-off-by: Philip Withnall <pwithnall@gnome.org>

Helps: #1767
2024-04-25 23:58:18 +01:00
Philip Withnall
2d5fc78f63
gtestutils: Add an assertion to squash a scan-build false positive
scan-build thinks there’s a potential `NULL` pointer dereference of some
of the members of `msg->strings`, because it doesn’t know about the
implicit invariant that the length of `msg->strings` is
`msg->n_strings`.

Ideally we want an assertion like `g_assert (g_strv_length
(msg->strings) == msg->n_strings)`, but that’s not very performant, so
just settle for a non-`NULL` assertion on each loop iteration to give
scan-build the hint it needs.

Signed-off-by: Philip Withnall <pwithnall@gnome.org>

Helps: #1767
2024-04-25 23:58:13 +01:00
Philip Withnall
cf940496df
ghostutils: Add a missing precondition check to g_hostname_to_unicode()
This helps out scan-build, which otherwise thinks there could be a
`NULL` pointer dereference.

Signed-off-by: Philip Withnall <pwithnall@gnome.org>

Helps: #1767
2024-04-25 23:58:08 +01:00
Philip Withnall
057f0fcbfb
gdatetime: Fix a maybe-uninitialized warning
scan-build thinks that `tmp` can be dereferenced before it’s all been
assigned to. I don’t think that’s the case, because the number of
elements in it which have been assigned to is tracked as `i`. But static
analysers find that kind of state tracking hard to reason about, so
let’s just zero-initialise the array to simplify things.

Signed-off-by: Philip Withnall <pwithnall@gnome.org>

Helps: #1767
2024-04-25 23:58:04 +01:00
Philip Withnall
f1d5a71bbc
girparser: Silence a scan-build NULL pointer dereference warning
It’s very obviously a false positive, as `str` has been added to on the
previous line, so can’t be `(void *) 0`. Not sure what scan-build is
thinking.

I’d rather not have this assertion (it doesn’t help the programmer’s
understanding of the code), but I would also rather have scan-build
running with no warnings so that it can helpfully catch newly-introduced
errors in future.

Signed-off-by: Philip Withnall <pwithnall@gnome.org>

Helps: #1767
2024-04-25 23:57:59 +01:00
Philip Withnall
d2f5cd4153
tests: Fix a -Wmaybe-uninitialized warning in gdbus-serialization test
It’s a false positive, but easy enough to squash.

Signed-off-by: Philip Withnall <pwithnall@gnome.org>
2024-04-25 23:57:55 +01:00
Philip Withnall
9f3322c784
gdbusdaemon: Disable scan-build for GDBusDaemon name refcounting
See the code comment. scan-build can’t handle analysis over the
refcounts, so consistently complains about potential use-after-free
errors in the code, essentially because:
 * It understands `name_unref()`, but completely ignores `name_ref()`
 * The code often calls `name_unref()` on the ‘wrong’ pointer, in the
   sense that it knows that if another struct exists, that struct holds
   a ref on a `Name`, but without actually having a pointer to the
   `Name`. So the code calls `name_unref (name); name_unref (name)`.
   That’s valid, but quite understandably looks like a recipe for a
   use-after-free.

Signed-off-by: Philip Withnall <pwithnall@gnome.org>

Helps: #1767
2024-04-25 23:57:51 +01:00
Philip Withnall
672a33002e
gunixmounts: Squash a static analyser false positive
scan-build thinks that there can be a `NULL` pointer dereference of
`error` here because it doesn’t understand that the function return
value and `GError` are related: when a valid return value is returned,
the error is `NULL` and vice-versa.

Try and make that clearer to the static analyser by checking whether the
error is `NULL`, rather than the return value.

Signed-off-by: Philip Withnall <pwithnall@gnome.org>

Helps: #1767
2024-04-25 23:57:46 +01:00
Philip Withnall
a1ff120a98
gsrvtarget: Silence false positive NULL pointer dereference
scan-build thinks there could be a `NULL` pointer dereference of
`t->data` here. It’s wrong, so add an assertion to try and help it
understand the control flow.

The loop is exited as soon as a target is found whose weight is greater
than or equal to a random value between 0 and the sum of all the weights
in the set of remaining targets in the loop. By definition, the last
target in the loop always satisfies this condition, so a target will
always be chosen, and hence `t` will never be `NULL` within the loop.

`t->data` will never be `NULL` by construction of the target list.

Signed-off-by: Philip Withnall <pwithnall@gnome.org>

Helps: #1767
2024-04-25 23:57:41 +01:00
Philip Withnall
066298b6ef
gdbusconnection: Fix a false positive memory leak from scan-build
scan-build thinks that `data` could be leaked. It’s not, though; it’s
passed as the `user_data` to `g_dbus_connection_register_object()` along
with its free function.

Try and persuade scan-build that there’s no leak by annotating the
transfer.

Signed-off-by: Philip Withnall <pwithnall@gnome.org>

Helps: #1767
2024-04-25 23:57:36 +01:00
Philip Withnall
d97627442f
gclosure: Rename atomic bit operation macros
This just makes it a bit clearer that they’re atomic/for thread safety,
and not just NIHed bit operations with shouty names.

This introduces no functional changes.

Signed-off-by: Philip Withnall <pwithnall@gnome.org>
2024-04-25 23:57:32 +01:00
Philip Withnall
e41b4b1acb
gclosure: Split out invalidation to a helper function
This avoids the need to ref/unref the closure while invalidating it in
the `closure->ref_count == 1` path in `g_closure_unref()`.

scan-build gets very confused about the ref count here, and ends up
assuming it’s possible for the `g_closure_unref()` call in
`g_closure_invalidate()` to finalise the closure when the latter is
called from `g_closure_unref()`. There was an existing assertion in
`g_closure_invalidate()` which hinted that this wasn’t possible, but
scan-build doesn’t seem to be able to propagate assumptions about
refcounts between function contexts.

So, introduce an internal variant of `g_closure_invalidate()` which can
skip modifying the closure’s refcount. It’s safe to invalidate the
closure without adding a ref when doing so from `g_closure_unref()` with
`closure->ref_count == 1` because at that point `g_closure_unref()`
holds the only remaining ref to the closure. So none of the invalidation
callbacks are allowed to unref it further.

Signed-off-by: Philip Withnall <pwithnall@gnome.org>

Helps: #1767
2024-04-25 23:57:27 +01:00
Philip Withnall
4894168631
gproxyaddressenumerator: Strengthen some type assertions
scan-build was complaining that `dest_hostname` and `dest_protocol` were
used after being freed, which could potentially happen if the code is
built with `G_DISABLE_CHECKS`. This is a false positive, because the
state of types in the program should be the same regardless of whether
`G_DISABLE_CHECKS` is used.

However, the code did smell. If we are trying to free things and return
gracefully if the underlying socket address enumerator returns something
of the wrong type, why not free the rest of the function’s state, or
skip the invalid address and move on to the next one? Or if we are trying
to make an assertion, why bother freeing some temporary data at all?
This halfway house doesn’t make sense.

So turn the `g_return_val_if_fail()` into a full assertion.

Signed-off-by: Philip Withnall <pwithnall@gnome.org>

Helps: #1767
2024-04-25 23:16:30 +01:00
Philip Withnall
05158475e9
gunidecomp: Fix a false positive from the static analyser
scan-build was complaining that the `wc_buffer[old_n_wc]` in `cc =
COMBINING_CLASS (wc_buffer[old_n_wc])` could dereference memory off the
end of the initialised `wc_buffer` array. It came to this conclusion by
assuming that the result of `find_decomposition()` for one of the
`gunichar`s was a non-`NULL` empty string, so that iteration of the
decomposition loop didn’t append anything to `wc_buffer`.

I don’t think it’s possible for an iteration of the loop to *not* append
anything to `wc_buffer`. Unicode characters don’t decompose to nothing.

Indeed, the current code coverage for GLib says that the `if (n_wc > 0)`
branch is always taken, and at that point in the control flow, `n_wc <=
0` is never true.

So, add an assertion to check that progress is made (i.e. `n_wc` is
incremented by at least 1), and remove the unnecessary condition.

Signed-off-by: Philip Withnall <pwithnall@gnome.org>

Helps: #1767
2024-04-25 23:16:26 +01:00
Philip Withnall
70a49e35cc
gtype: Move an assertion to help out the static analyser
scan-build is worried that `node->data->common.value_table->value_init`
will be a `NULL` pointer dereference in the assignment to
`node->mutatable_check_cache`.

There’s already an assertion immediately below to check against this, so
let’s move it up a line to help the static analyser out.

Signed-off-by: Philip Withnall <pwithnall@gnome.org>

Helps: #1767
2024-04-25 23:16:22 +01:00
Philip Withnall
6a1beede60
gobject: Add an assertion to avoid a static analysis false positive
Avoid scan-build thinking that `new_wrdata` could be `NULL` on this
control path. It can’t be `NULL` if `new_object` is set.

Signed-off-by: Philip Withnall <pwithnall@gnome.org>

Helps: #1767
2024-04-25 23:16:17 +01:00
Philip Withnall
62b5c738e7
gvariant-serialiser: Add an assertion to help the static analyser
scan-build thinks that `gvs_variable_sized_array_is_normal()` can do a
`NULL` pointer dereference on `value.data` when `value.size == 0`. This
isn’t possible, because `offsets.length == 0` always when `value.size ==
0`, but that’s a bit of a complex relationship which the static analyser
can’t work out.

Give it some help by adding an assertion.

Signed-off-by: Philip Withnall <pwithnall@gnome.org>

Helps: #1767
2024-04-25 23:16:13 +01:00
Philip Withnall
3e68debb13
xdgmime: Add assertion to silence static analysis false positive
After a lot of loop unwinding, during which I think it might have lost
its knowledge that `cache->buffer != NULL` (from a prior check on line
765), scan-build seems to think that there can be a `NULL` pointer
dereference of `cache->buffer` within `cache_magic_compare_to_data()`.
There can’t be. Add an assertion to try and help the analyser.

Upstreamed as
https://gitlab.freedesktop.org/xdg/xdgmime/-/merge_requests/38.

Signed-off-by: Philip Withnall <pwithnall@gnome.org>

Helps: #1767
2024-04-25 23:16:08 +01:00
Philip Withnall
c4affcb4f0
gsequence: Squash a static analysis false positive
scan-build thinks there can be a `NULL` pointer dereference in `while
((i = N_NODES (node->left)) != pos)`, if `node` is `NULL`.

`node` cannot be `NULL`, though, assuming the `n_nodes` member of each
node in the tree is an accurate count of the number of nodes beneath
that point. It controls the tree descent and avoids trying to descend
beneath a leaf.

A static analyser can’t know this though, so let’s add an assertion to
help.

Signed-off-by: Philip Withnall <pwithnall@gnome.org>

Helps: #1767
2024-04-25 23:16:04 +01:00
Philip Withnall
ff4c17bc30
gnetworkmonitornetlink: Refactor error handling in read_netlink_messages()
scan-build thinks that it’s possible for `read_netlink_messages()` to
return `FALSE` and an unset error (or `TRUE` and a set error), and this
belief causes it to emit warnings for code which calls
`read_netlink_messages()`.

That’s not possible, but the function is written in such a way that
following the control flow would be hard for a static analyser. It would
have to work out that `retval` and `local_error == NULL` are identical
on all control flow branches.

Avoid the need for such complex analysis by eliminating `retval` and
just using `local_error` throughout.

This introduces no functional changes to the code.

Signed-off-by: Philip Withnall <pwithnall@gnome.org>

Helps: #1767
2024-04-25 23:16:00 +01:00
Philip Withnall
b3cd9aaa98
gdesktopappinfo: Fix a maybe-uninitialized warning
scan-build thinks that `term_arg` could be used uninitialised. I think
there isn’t a bug here because that use is protected by the
`found_terminal == NULL` check and early return. But perhaps that logic
is a bit too complex for static analysis, so add a default value for the
variable.

Signed-off-by: Philip Withnall <pwithnall@gnome.org>

Helps: #1767
2024-04-25 23:15:55 +01:00
Emmanuele Bassi
18cd1590c3 Merge branch 'size_t-conversions' into 'main'
Fix various implicit conversions from size_t to smaller types

See merge request GNOME/glib!4023
2024-04-25 14:03:17 +00:00
Philip Withnall
e9655c597a
gobject: Fix various implicit conversions from size_t to smaller types
Basically various trivial instances of the following MSVC compiler
warning:
```
../gio/gio-tool-set.c(50): warning C4267: '=': conversion from 'size_t' to 'int', possible loss of data
```

Signed-off-by: Philip Withnall <pwithnall@gnome.org>
2024-04-25 12:39:46 +01:00
Philip Withnall
f7b48b5c25
gmodule: Fix various implicit conversions from size_t to smaller types
Basically various trivial instances of the following MSVC compiler
warning:
```
../gio/gio-tool-set.c(50): warning C4267: '=': conversion from 'size_t' to 'int', possible loss of data
```

Signed-off-by: Philip Withnall <pwithnall@gnome.org>
2024-04-25 12:39:39 +01:00
Philip Withnall
362f92b693
glib: Fix various implicit conversions from size_t to smaller types
Basically various trivial instances of the following MSVC compiler
warning:
```
../gio/gio-tool-set.c(50): warning C4267: '=': conversion from 'size_t' to 'int', possible loss of data
```

Signed-off-by: Philip Withnall <pwithnall@gnome.org>
2024-04-25 12:39:33 +01:00
Philip Withnall
ec36370dcb
girepository: Fix various implicit conversions from size_t to smaller types
Basically various trivial instances of the following MSVC compiler
warning:
```
../gio/gio-tool-set.c(50): warning C4267: '=': conversion from 'size_t' to 'int', possible loss of data
```

Signed-off-by: Philip Withnall <pwithnall@gnome.org>
2024-04-25 00:41:34 +01:00
Philip Withnall
e7aa0039b9
gsocks5proxy: Rework functions to separate length and success/failure
The previous approach was to return a length as a `gssize`, with
negative values indicating failure. That works fine, but causes a lot of
signed/unsigned comparisons or assignments.

Tidy the code up by splitting success from length, returning success as
a boolean, and length as a `size_t*` out argument. This introduces no
functional changes, but does tidy the code up and fix some compiler
integer warnings.

Signed-off-by: Philip Withnall <pwithnall@gnome.org>
2024-04-25 00:39:13 +01:00
Philip Withnall
6e362ce3b6
gio: Fix various implicit conversions from size_t to smaller types
Basically various trivial instances of the following MSVC compiler
warning:
```
../gio/gio-tool-set.c(50): warning C4267: '=': conversion from 'size_t' to 'int', possible loss of data
```

Signed-off-by: Philip Withnall <pwithnall@gnome.org>
2024-04-25 00:37:47 +01:00
Michael Catanzaro
c378a5a049 Merge branch 'url-patch' into 'main'
gfileinfo: Fixed broken link to gio/file-attributes.html

See merge request GNOME/glib!4022
2024-04-23 21:50:20 +00:00