update-notifier crashes (bug spotted in source code)
Xu Zhongxing
13811674668 at 163.com
Sat May 1 11:55:56 UTC 2021
In the source code update-notifier_3.192.40.tar.xz, when there is file /var/lib/update-notifier/user.d/incomplete-language-support-gnome.note.
In hooks.c, at line 108, when the file test is true, the program will execute "goto out" at line 112.
Then at line 137, pathdirs is in uninitialized state and triggers a segmentation fault in g_strfreev().
if(cargv[0][0] == '/' &&
g_file_test(cargv[0], G_FILE_TEST_EXISTS|G_FILE_TEST_IS_EXECUTABLE)) {
result = TRUE;
g_debug_hooks("command exists");
goto out; // THIS IS EXECUTED
}
g_debug_hooks("'%s' is not a valid absolute path", cargv[0]);
gchar **pathdirs = g_strsplit(getenv("PATH"), ":", 100);
if(!pathdirs) goto out;
for(int i = 0; pathdirs[i] != NULL; i++) {
gchar *pathdir = pathdirs[i];
char *fname = g_strdup_printf("%s/%s", pathdir, cargv[0]);
if(g_file_test(fname, G_FILE_TEST_EXISTS|G_FILE_TEST_IS_EXECUTABLE)) {
g_debug_hooks("command exists at '%s'", fname);
g_free(fname);
result = TRUE;
goto out;
}
g_free(fname);
}
g_debug_hooks("failed to find command in PATH");
out:
if(error) g_error_free(error);
if(cargv) g_strfreev(cargv);
if(pathdirs) g_strfreev(pathdirs); // THIS IS THE CRASH SITE BECAUSE pathdirs IS IN UNINITIALIZED STATE.
if(unquoted) g_free(unquoted);
return result;
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-devel-discuss/attachments/20210501/c9bad74c/attachment.html>
More information about the Ubuntu-devel-discuss
mailing list