diff options
author | Philip Withnall <pwithnall@gnome.org> | 2024-04-12 16:01:20 +0100 |
---|---|---|
committer | Philip Withnall <pwithnall@gnome.org> | 2024-04-12 18:46:13 +0100 |
commit | 4b7f6ffe4ced3ed351c05279e2608a7010910ddb (patch) | |
tree | d81a592a0f3a33b4e92ea1bb6631236be98723e1 /gobject/gparamspecs.c | |
parent | 96552fc9047bac079b08511b656348b5a4ccb30f (diff) |
gparamspecs: Fix NULL pointer dereference
I’m not sure exactly how this code is supposed to work, so this might
not be the right fix. But there’s definitely a problem here, and it was
spotted by scan-build.
If `param_value_array_validate()` is entered with
`value->data[0].v_pointer == NULL && aspec->fixed_n_elements`, that `NULL`
will be stored in `value_array` too. `value->data[0].v_pointer` will
then be set to a new non-`NULL` array.
A few lines down, `value_array_ensure_size()` is called on
`value_array` – which is still `NULL` – and this results in a `NULL`
pointer dereference.
It looks like `value->data[0].v_pointer` and `value_array` are used
interchangeably throughout the whole of the function, so assign the new
value of `value->data[0].v_pointer` to `value_array` too.
My guess is that `value_array` is just a convenience alias for
`value->data[0].v_pointer`, because the latter is a real mouthful to
type or read.
Signed-off-by: Philip Withnall <pwithnall@gnome.org>
Helps: #1767
Diffstat (limited to 'gobject/gparamspecs.c')
-rw-r--r-- | gobject/gparamspecs.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/gobject/gparamspecs.c b/gobject/gparamspecs.c index cf50df74f..12a81245a 100644 --- a/gobject/gparamspecs.c +++ b/gobject/gparamspecs.c @@ -1018,7 +1018,7 @@ param_value_array_validate (GParamSpec *pspec, guint changed = 0; if (!value->data[0].v_pointer && aspec->fixed_n_elements) - value->data[0].v_pointer = g_value_array_new (aspec->fixed_n_elements); + value_array = value->data[0].v_pointer = g_value_array_new (aspec->fixed_n_elements); if (value->data[0].v_pointer) { |