File xfdesktop-4.10.0-fix-use-after-free.patch of Package xfdesktop

Overview Repositories Revisions Requests Users Attributes Meta

File xfdesktop-4.10.0-fix-use-after-free.patch of Package xfdesktop

Tooltip of a desktop file with empty Comment= field shows as
"EEEEEEEEEEEEEEEEEEEEE..." which hints at a use-after-free as the
area is poisoned by glibc after free().

Valgrind then showed this:

==4111== Invalid read of size 1
==4111==    at 0x8413316: vfprintf (in /lib64/libc-2.15.so)
==4111==    by 0x84C6380: __vasprintf_chk (in /lib64/libc-2.15.so)
==4111==    by 0x7F3FC2A: g_vasprintf (in /usr/lib64/libglib-2.0.so.0.3200.3)
==4111==    by 0x7F1FBFC: g_strdup_vprintf (in /usr/lib64/libglib-2.0.so.0.3200.3)
==4111==    by 0x7F1FC9B: g_strdup_printf (in /usr/lib64/libglib-2.0.so.0.3200.3)
==4111==    by 0x434087: xfdesktop_regular_file_icon_peek_tooltip (xfdesktop-regular-file-icon.c:577)
==4111==    by 0x41F6C4: xfdesktop_icon_view_show_tooltip (xfdesktop-icon-view.c:1049)
==4111==    by 0x659FB80: ??? (in /usr/lib64/libgtk-x11-2.0.so.0.2400.10)
==4111==    by 0x7C7C70F: g_closure_invoke (in /usr/lib64/libgobject-2.0.so.0.3200.3)
==4111==    by 0x7C8D78F: ??? (in /usr/lib64/libgobject-2.0.so.0.3200.3)
==4111==    by 0x7C9532A: g_signal_emit_valist (in /usr/lib64/libgobject-2.0.so.0.3200.3)
==4111==    by 0x7C95DAF: g_signal_emit_by_name (in /usr/lib64/libgobject-2.0.so.0.3200.3)
==4111==  Address 0x13301768 is 72 bytes inside a block of size 4,096 free'd
==4111==    at 0x4C29D4E: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==4111==    by 0x7F23377: g_string_chunk_free (in /usr/lib64/libglib-2.0.so.0.3200.3)
==4111==    by 0x60494F6: xfce_rc_close (xfce-rc.c:166)
==4111==    by 0x434039: xfdesktop_regular_file_icon_peek_tooltip (xfdesktop-regular-file-icon.c:567)
==4111==    by 0x41F6C4: xfdesktop_icon_view_show_tooltip (xfdesktop-icon-view.c:1049)
==4111==    by 0x659FB80: ??? (in /usr/lib64/libgtk-x11-2.0.so.0.2400.10)
==4111==    by 0x7C7C70F: g_closure_invoke (in /usr/lib64/libgobject-2.0.so.0.3200.3)
==4111==    by 0x7C8D78F: ??? (in /usr/lib64/libgobject-2.0.so.0.3200.3)
==4111==    by 0x7C9532A: g_signal_emit_valist (in /usr/lib64/libgobject-2.0.so.0.3200.3)
==4111==    by 0x7C95DAF: g_signal_emit_by_name (in /usr/lib64/libgobject-2.0.so.0.3200.3)
==4111==    by 0x6674F97: ??? (in /usr/lib64/libgtk-x11-2.0.so.0.2400.10)
==4111==    by 0x6675C53: ??? (in /usr/lib64/libgtk-x11-2.0.so.0.2400.10)

This is the patch I came up with:

Index: b/src/xfdesktop-regular-file-icon.c
===================================================================
--- a/src/xfdesktop-regular-file-icon.c
+++ b/src/xfdesktop-regular-file-icon.c
@@ -550,10 +550,14 @@ xfdesktop_regular_file_icon_peek_tooltip
 
         mtime = g_file_info_get_attribute_uint64(info,
                                                  G_FILE_ATTRIBUTE_TIME_MODIFIED);
         time_string = xfdesktop_file_utils_format_time_for_display(mtime);
 
+        regular_file_icon->priv->tooltip =
+            g_strdup_printf(_("Type: %s\nSize: %s\nLast modified: %s"),
+                            description, size_string, time_string);
+
         /* Extract the Comment entry from the .desktop file */
         if(is_desktop_file)
         {
             gchar *path = g_file_get_path(regular_file_icon->priv->file);
             XfceRc *rcfile = xfce_rc_simple_open(path, TRUE);
@@ -561,27 +565,22 @@ xfdesktop_regular_file_icon_peek_tooltip
 
             if(rcfile) {
                 xfce_rc_set_group(rcfile, "Desktop Entry");
                 comment = xfce_rc_read_entry(rcfile, "Comment", NULL);
             }
+            /* Prepend the comment to the tooltip */
+            if(comment != NULL) {
+                gchar *tooltip = regular_file_icon->priv->tooltip;
+                regular_file_icon->priv->tooltip = g_strdup_printf("%s\n%s",
+                                                                   comment,
+                                                                   tooltip);
+                g_free(tooltip);
+            }
 
             xfce_rc_close(rcfile);
         }
 
-        regular_file_icon->priv->tooltip =
-            g_strdup_printf(_("Type: %s\nSize: %s\nLast modified: %s"),
-                            description, size_string, time_string);
-
-        /* Prepend the comment to the tooltip */
-        if(is_desktop_file && comment != NULL) {
-            gchar *tooltip = regular_file_icon->priv->tooltip;
-            regular_file_icon->priv->tooltip = g_strdup_printf("%s\n%s",
-                                                               comment,
-                                                               tooltip);
-            g_free(tooltip);
-        }
-
         g_free(time_string);
         g_free(size_string);
         g_free(description);
     }

Places

File xfdesktop-4.10.0-fix-use-after-free.patch of Package xfdesktop

Places