diff options
| author | Simon Feltman <sfeltman@src.gnome.org> | 2014-09-10 19:06:35 -0700 |
|---|---|---|
| committer | Simon Feltman <sfeltman@src.gnome.org> | 2014-09-10 19:06:35 -0700 |
| commit | 6181f724bc2c6ea30194c961cb15b2c543a48f95 (patch) | |
| tree | a1bdae2b5e68fcba810ab05ccb007b66a383230b | |
| parent | 972e944ad4b2aac03c61633b8c277e35395c114c (diff) | |
| download | pygobject-6181f724bc2c6ea30194c961cb15b2c543a48f95.tar.gz | |
Fix invalid read error in argument cleanup code
Always set initial length argument index for arrays to -1. Ensure we don't
attempt retrieving Python cleanup arguments until we know it is valid.
This was causing an invalid read in test_gi.TestArray.test_array_out()
| -rw-r--r-- | gi/pygi-array.c | 1 | ||||
| -rw-r--r-- | gi/pygi-marshal-cleanup.c | 13 |
2 files changed, 9 insertions, 5 deletions
diff --git a/gi/pygi-array.c b/gi/pygi-array.c index 4cfbd172..e2598cd3 100644 --- a/gi/pygi-array.c +++ b/gi/pygi-array.c @@ -803,6 +803,7 @@ pygi_arg_garray_len_arg_setup (PyGIArgCache *arg_cache, child_cache->direction = direction; child_cache->to_py_marshaller = _pygi_marshal_to_py_basic_type_cache_adapter; child_cache->from_py_marshaller = _pygi_marshal_from_py_basic_type_cache_adapter; + child_cache->py_arg_index = -1; /* ugly edge case code: * diff --git a/gi/pygi-marshal-cleanup.c b/gi/pygi-marshal-cleanup.c index 4ba6159c..b0ec05ae 100644 --- a/gi/pygi-marshal-cleanup.c +++ b/gi/pygi-marshal-cleanup.c @@ -95,8 +95,6 @@ pygi_marshal_cleanup_args_from_py_marshal_success (PyGIInvokeState *state, for (i = 0; i < _pygi_callable_cache_args_len (cache); i++) { PyGIArgCache *arg_cache = _pygi_callable_cache_get_arg (cache, i); PyGIMarshalCleanupFunc cleanup_func = arg_cache->from_py_cleanup; - PyObject *py_arg = PyTuple_GET_ITEM (state->py_in_args, - arg_cache->py_arg_index); gpointer cleanup_data = state->args_cleanup_data[i]; /* Only cleanup using args_cleanup_data when available. @@ -105,8 +103,9 @@ pygi_marshal_cleanup_args_from_py_marshal_success (PyGIInvokeState *state, * PyGIInvokeState.args_cleanup_data stores this data (via _invoke_marshal_in_args) * for the duration of the invoke up until this point. */ - if (cleanup_func && cleanup_data != NULL && + if (cleanup_func && cleanup_data != NULL && arg_cache->py_arg_index >= 0 && arg_cache->direction & PYGI_DIRECTION_FROM_PYTHON) { + PyObject *py_arg = PyTuple_GET_ITEM (state->py_in_args, arg_cache->py_arg_index); cleanup_func (state, arg_cache, py_arg, cleanup_data, TRUE); state->args_cleanup_data[i] = NULL; } @@ -167,8 +166,12 @@ pygi_marshal_cleanup_args_from_py_parameter_fail (PyGIInvokeState *state, PyGIArgCache *arg_cache = _pygi_callable_cache_get_arg (cache, i); PyGIMarshalCleanupFunc cleanup_func = arg_cache->from_py_cleanup; gpointer cleanup_data = state->args_cleanup_data[i]; - PyObject *py_arg = PyTuple_GET_ITEM (state->py_in_args, - arg_cache->py_arg_index); + PyObject *py_arg = NULL; + + if (arg_cache->py_arg_index < 0) { + continue; + } + py_arg = PyTuple_GET_ITEM (state->py_in_args, arg_cache->py_arg_index); if (cleanup_func && cleanup_data != NULL && arg_cache->direction == PYGI_DIRECTION_FROM_PYTHON) { |