From 6181f724bc2c6ea30194c961cb15b2c543a48f95 Mon Sep 17 00:00:00 2001
From: Simon Feltman <sfeltman@src.gnome.org>
Date: Wed, 10 Sep 2014 19:06:35 -0700
Subject: Fix invalid read error in argument cleanup code

Always set initial length argument index for arrays to -1. Ensure we don't
attempt retrieving Python cleanup arguments until we know it is valid.
This was causing an invalid read in test_gi.TestArray.test_array_out()
---
 gi/pygi-array.c           |  1 +
 gi/pygi-marshal-cleanup.c | 13 ++++++++-----
 2 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/gi/pygi-array.c b/gi/pygi-array.c
index 4cfbd172..e2598cd3 100644
--- a/gi/pygi-array.c
+++ b/gi/pygi-array.c
@@ -803,6 +803,7 @@ pygi_arg_garray_len_arg_setup (PyGIArgCache *arg_cache,
         child_cache->direction = direction;
         child_cache->to_py_marshaller = _pygi_marshal_to_py_basic_type_cache_adapter;
         child_cache->from_py_marshaller = _pygi_marshal_from_py_basic_type_cache_adapter;
+        child_cache->py_arg_index = -1;
 
         /* ugly edge case code:
          *
diff --git a/gi/pygi-marshal-cleanup.c b/gi/pygi-marshal-cleanup.c
index 4ba6159c..b0ec05ae 100644
--- a/gi/pygi-marshal-cleanup.c
+++ b/gi/pygi-marshal-cleanup.c
@@ -95,8 +95,6 @@ pygi_marshal_cleanup_args_from_py_marshal_success (PyGIInvokeState   *state,
     for (i = 0; i < _pygi_callable_cache_args_len (cache); i++) {
         PyGIArgCache *arg_cache = _pygi_callable_cache_get_arg (cache, i);
         PyGIMarshalCleanupFunc cleanup_func = arg_cache->from_py_cleanup;
-        PyObject *py_arg = PyTuple_GET_ITEM (state->py_in_args,
-                                             arg_cache->py_arg_index);
         gpointer cleanup_data = state->args_cleanup_data[i];
 
         /* Only cleanup using args_cleanup_data when available.
@@ -105,8 +103,9 @@ pygi_marshal_cleanup_args_from_py_marshal_success (PyGIInvokeState   *state,
          * PyGIInvokeState.args_cleanup_data stores this data (via _invoke_marshal_in_args)
          * for the duration of the invoke up until this point.
          */
-        if (cleanup_func && cleanup_data != NULL &&
+        if (cleanup_func && cleanup_data != NULL && arg_cache->py_arg_index >= 0 &&
                 arg_cache->direction & PYGI_DIRECTION_FROM_PYTHON) {
+            PyObject *py_arg = PyTuple_GET_ITEM (state->py_in_args, arg_cache->py_arg_index);
             cleanup_func (state, arg_cache, py_arg, cleanup_data, TRUE);
             state->args_cleanup_data[i] = NULL;
         }
@@ -167,8 +166,12 @@ pygi_marshal_cleanup_args_from_py_parameter_fail (PyGIInvokeState   *state,
         PyGIArgCache *arg_cache = _pygi_callable_cache_get_arg (cache, i);
         PyGIMarshalCleanupFunc cleanup_func = arg_cache->from_py_cleanup;
         gpointer cleanup_data = state->args_cleanup_data[i];
-        PyObject *py_arg = PyTuple_GET_ITEM (state->py_in_args,
-                                             arg_cache->py_arg_index);
+        PyObject *py_arg = NULL;
+
+        if (arg_cache->py_arg_index < 0) {
+            continue;
+        }
+        py_arg = PyTuple_GET_ITEM (state->py_in_args, arg_cache->py_arg_index);
 
         if (cleanup_func && cleanup_data != NULL &&
                 arg_cache->direction == PYGI_DIRECTION_FROM_PYTHON) {
-- 
cgit v1.2.1