Unfortunately, `g_memdup()` accepts its size argument as a `guint`,
unlike most other functions which deal with memory sizes — they all use
`gsize`. `gsize` is 64 bits on 64-bit machines, while `guint` is only 32
bits. This can lead to a silent (with default compiler warnings)
truncation of the value provided by the caller. For large values, this
will result in the returned heap allocation being significantly smaller
than the caller expects, which will then lead to buffer overflow
reads/writes.
Any code using `g_memdup()` should immediately port to `g_memdup2()` and
check the pointer arithmetic around their call site to ensure there
aren’t other overflows.
Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
Fixes: #2319
Convert all the call sites which use `g_memdup()`’s length argument
trivially (for example, by passing a `sizeof()` or an existing `gsize`
variable), so that they use `g_memdup2()` instead.
In almost all of these cases the use of `g_memdup()` would not have
caused problems, but it will soon be deprecated, so best port away from
it
In particular, this fixes an overflow within `g_bytes_new()`, identified
as GHSL-2021-045 by GHSL team member Kevin Backhouse.
Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
Fixes: GHSL-2021-045
Helps: #2319
This will replace the existing `g_memdup()` function, which has an
unavoidable security flaw of taking its `byte_size` argument as a
`guint` rather than as a `gsize`. Most callers will expect it to be a
`gsize`, and may pass in large values which could silently be truncated,
resulting in an undersize allocation compared to what the caller
expects.
This could lead to a classic buffer overflow vulnerability for many
callers of `g_memdup()`.
`g_memdup2()`, in comparison, takes its `byte_size` as a `gsize`.
Spotted by Kevin Backhouse of GHSL.
Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
Helps: GHSL-2021-045
Helps: #2319
Various tests have leaks where it isn't clear whether the data is
intentionally not freed, or leaked due to a bug. If we mark these
tests as TODO, we can skip them under AddressSanitizer and get the
rest to pass, giving us a baseline from which to avoid regressions.
Signed-off-by: Simon McVittie <smcv@collabora.com>
For manual test coverage that would reproduce the bug fixed in !1902,
copy /bin/true (or any other harmless executable) to
/usr/bin/spawn-test-helper.
Signed-off-by: Simon McVittie <smcv@collabora.com>
There are various places glib uses __typeof__ for type safety, but
that's a GNUC extension. C++11 has standard decltype() that does a
similar job, at least for cases we care about.
This avoids C++ code to always have to cast return value of
g_object_ref() which was causing type kind of error:
error: invalid conversion from ‘gpointer’ {aka ‘void*’} to
‘GstElementFactory*’ {aka ‘_GstElementFactory*’} [-fpermissive]
I found myself wanting to know the test that is currently being run,
where e.g. __func__ would be inconvenient to use, because e.g. the place
the string was needed was not in the test case function. Using __func__
also relies on the test function itself containing the whole path, while
loosing the "/" information that is part of the test path.
On FreeBSD it always crashes due to the platform’s `vasprintf()`
implementation being less forgiving than Linux’s. That’s fine.
Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
This is mostly to cover historic code, but also includes a couple of
additional tests for extended error domains (see #14).
Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
Realistically any date over 200 bytes long is not going to be valid, so
limit the input length so we can’t spend too long doing UTF-8 validation
or normalisation.
oss-fuzz#28718
Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
On heavily loaded CI machines it seems to be taking about 1.3s between
one `g_get_monotonic_time()` call and the next. Allow that.
Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
Occasionally this test fails in CI with the message:
```
assertion failed: (current_time / 1000000 - last_time / 1000000 == 1)
```
The way this calculation is done at the moment, a difference of 1001ms
between `current_time` and `last_time` can result in failure, if the
times are close to a multiple to 1000ms.
Change it to only truncate the result after doing the subtraction, and
add a 500ms tolerance to account for scheduling delays in the test. (For
example, the `test_func()` could be called, then descheduled before it
gets to call `g_get_monotonic_time()`.
Additionally, change the test to use `g_assert_cmpint()` so that future
failures provide more useful debug information.
Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
The fiendish thing about NAN is that it never compares TRUE against
anything, so the limit checks `seconds < 0.0 || seconds >= 60.0` were
never triggering.
oss-fuzz#28473
Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
The `nameprep()` function in `ghostutils.c` is quite complex, and does a
lot of allocations. This means it can take a long time on long hostnames
(on the order of 10KB long). Hostnames should never be that long,
though, so impose some loose length limits.
oss-fuzz#27371
Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
They extend the behavior of, respectively, -p and -s options of the
glib test framework
Currently test suite are only run for one level under -p path, for
example, testfilemonitor -p /monitor would execute the following tests:
/monitor/atomic-replace
/monitor/file-changes
/monitor/dir-monitor
/monitor/dir-not-existent
/monitor/cross-dir-moves
With the --run-prefix the sub-test suite file will be executed:
/monitor/atomic-replace
/monitor/file-changes
/monitor/dir-monitor
/monitor/dir-not-existent
/monitor/cross-dir-moves
/monitor/file/hard-links
The --skip-prefix and run-prefix seems symmetrical, but there is a
difference with skip towards run:
--skip-prefix will use a prefix while --run-prefix only work for a valid test path.
For example and for the following test family:
/monitor/atomic-replace
/monitor/file-changes
/monitor/dir-monitor
/monitor/dir-not-existent
/monitor/cross-dir-moves
/monitor/file/hard-links
while --run-prefix /mon will not execute anything, --skip-prefix /mon
will skip all of these tests.
See #2238 which references this change.
- Add a test for parsing FILE scheme from uri
It had taken from GST test_protocol_case
- Add a split uri test with encoded spaces in its path
It had taken from GST test_uri_get_location
- Add tests for g_uri_is_valid
It had taken from GST test_uri_misc
Note that the 4 followings uri failed under gst_uri_is_valid but not
under g_uri_is_valid
B:\\foo.txt
B:/foo.txt
B://foo.txt
B:foo.txt
- Add tests for g_uri_split
It had taken from GST test_url_parsing
- Add tests for test_uri_normalize and test_uri_parsing_relative
The test URI had been taken from GST test_url_normalization
- Add tests for test_uri_iter_params
It had taken from GST test_url_unescape_equals_in_http_query
Closes#2150
Signed-off-by: Frederic Martinsons <frederic.martinsons@sigfox.com>
For URIs produced in string form, the path should be normalized and port
omitted when the default one is used. When querying the path and port of
a GUri (using getters or g_uri_split()) the normalized path and the
default port should be returned when they were omitted in the parsed URI.
Closes#2257
`g_time_zone_new_identifier()` returns NULL in the FreeBSD test setup,
presumably because `TZ` isn’t set.
Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
Helps: #553
Use `g_time_zone_new_identifier()` instead so you can get error
checking.
Adapt the tests to match.
Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
Helps: #553
`volatile` should not be used to indicate atomic variables, and we
shouldn’t encourage its use. Keep the tests, since they check that we
don’t emit warnings when built against incorrect old code which uses
`volatile`. But add a comment to stop copy/paste use of `volatile`
in the future.
Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
Helps: #600
These variables were already (correctly) accessed atomically. The
`volatile` qualifier doesn’t help with that.
Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
Helps: #600
And drop the `volatile` qualifier from the variable, as that doesn’t
help with thread safety.
Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
Helps: #600
And drop the `volatile` qualifier from the variable, as that doesn’t
help with thread safety.
Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
Helps: #600
Add a new variant of `g_time_zone_new()` which returns `NULL` on
failure to load a timezone, rather than silently returning UTC.
Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
Fixes: #553
In file included from glib/glib.h:86,
from glib/tests/uri.c:25:
glib/gtestutils.h:134:96: error: comparison of integer expressions of different signedness: ‘gint’ {aka ‘int’} and ‘GConvertError’
134 | if (!err || (err)->domain != dom || (err)->code != c) \
| ^~
glib/tests/uri.c:182:9: note: in expansion of macro ‘g_assert_error’
182 | g_assert_error (error, G_CONVERT_ERROR, file_to_uri_tests[i].expected_error);
| ^~~~~~~~~~~~~~
glib/gtestutils.h:134:96: error: comparison of integer expressions of different signedness: ‘gint’ {aka ‘int’} and ‘GConvertError’
134 | if (!err || (err)->domain != dom || (err)->code != c) \
| ^~
glib/tests/uri.c:220:9: note: in expansion of macro ‘g_assert_error’
220 | g_assert_error (error, G_CONVERT_ERROR, file_from_uri_tests[i].expected_error);
| ^~~~~~~~~~~~~~
glib/tests/uri.c: In function ‘test_uri_parsing_absolute’:
glib/gtestutils.h:134:96: error: comparison of integer expressions of different signedness: ‘gint’ {aka ‘int’} and ‘GUriError’
134 | if (!err || (err)->domain != dom || (err)->code != c) \
| ^~
glib/tests/uri.c:790:11: note: in expansion of macro ‘g_assert_error’
790 | g_assert_error (error, G_URI_ERROR, test->expected_error_code);
| ^~~~~~~~~~~~~~
In file included from glib/glibconfig.h:9,
from glib/gtypes.h:32,
from glib/galloca.h:32,
from glib/glib.h:30,
from glib/tests/uri.c:25:
glib/tests/uri.c: In function ‘test_uri_iter_params’:
glib/tests/uri.c:1495:51: error: comparison of integer expressions of different signedness: ‘gssize’ {aka ‘const long int’} and ‘long unsigned int’
1495 | params_tests[i].expected_n_params <= G_N_ELEMENTS (params_tests[i].expected_param_key_values) / 2);
| ^~
glib/gmacros.h:941:25: note: in definition of macro ‘G_LIKELY’
941 | #define G_LIKELY(expr) (expr)
| ^~~~
glib/tests/uri.c:1494:7: note: in expansion of macro ‘g_assert’
1494 | g_assert (params_tests[i].expected_n_params < 0 ||
| ^~~~~~~~
glib/tests/uri.c: In function ‘test_uri_parse_params’:
glib/tests/uri.c:1562:51: error: comparison of integer expressions of different signedness: ‘gssize’ {aka ‘const long int’} and ‘long unsigned int’
1562 | params_tests[i].expected_n_params <= G_N_ELEMENTS (params_tests[i].expected_param_key_values) / 2);
| ^~
glib/gmacros.h:941:25: note: in definition of macro ‘G_LIKELY’
941 | #define G_LIKELY(expr) (expr)
| ^~~~
glib/tests/uri.c:1561:7: note: in expansion of macro ‘g_assert’
1561 | g_assert (params_tests[i].expected_n_params < 0 ||
| ^~~~~~~~
glib/tests/uri.c: In function ‘run_file_to_uri_tests’:
glib/tests/uri.c:172:17: error: comparison of integer expressions of different signedness: ‘int’ and ‘long unsigned int’
172 | for (i = 0; i < G_N_ELEMENTS (file_to_uri_tests); i++)
| ^
glib/tests/uri.c: In function ‘run_file_from_uri_tests’:
glib/tests/uri.c:197:17: error: comparison of integer expressions of different signedness: ‘int’ and ‘long unsigned int’
197 | for (i = 0; i < G_N_ELEMENTS (file_from_uri_tests); i++)
| ^
glib/tests/uri.c: In function ‘run_file_roundtrip_tests’:
glib/tests/uri.c:276:17: error: comparison of integer expressions of different signedness: ‘int’ and ‘long unsigned int’
276 | for (i = 0; i < G_N_ELEMENTS (file_to_uri_tests); i++)
| ^
glib/tests/uri.c: In function ‘test_uri_parse_params’:
glib/tests/uri.c:1594:25: error: comparison of integer expressions of different signedness: ‘gsize’ {aka ‘long unsigned int’} and ‘gssize’ {aka ‘const long int’}
1594 | for (j = 0; j < params_tests[i].expected_n_params; j += 2)
| ^
glib/tests/timer.c: In function ‘test_timeval_from_iso8601’:
glib/tests/timer.c:220:17: error: comparison of integer expressions of different signedness: ‘gint’ {aka ‘int’} and ‘long unsigned int’
220 | for (i = 0; i < G_N_ELEMENTS (tests); i++)
| ^
glib/tests/timer.c: In function ‘test_timeval_to_iso8601’:
glib/tests/timer.c:260:17: error: comparison of integer expressions of different signedness: ‘gint’ {aka ‘int’} and ‘long unsigned int’
260 | for (i = 0; i < G_N_ELEMENTS (tests); i++)
| ^
