diff options
author | Dan Williams <dcbw@redhat.com> | 2012-06-09 06:09:36 +0800 |
---|---|---|
committer | Claudio Saavedra <csaavedra@igalia.com> | 2012-06-11 17:22:25 +0800 |
commit | c11e8f1c77127a75a842ba3d9a75ade1b6ba9d2b (patch) | |
tree | be876546001b1ff87d5c0ed820b9350dd13dea05 /embed/ephy-web-view.c | |
parent | 5098053fc257b3ce58302a441663b7b4eca676f2 (diff) | |
download | gsoc2013-epiphany-c11e8f1c77127a75a842ba3d9a75ade1b6ba9d2b.tar gsoc2013-epiphany-c11e8f1c77127a75a842ba3d9a75ade1b6ba9d2b.tar.gz gsoc2013-epiphany-c11e8f1c77127a75a842ba3d9a75ade1b6ba9d2b.tar.bz2 gsoc2013-epiphany-c11e8f1c77127a75a842ba3d9a75ade1b6ba9d2b.tar.lz gsoc2013-epiphany-c11e8f1c77127a75a842ba3d9a75ade1b6ba9d2b.tar.xz gsoc2013-epiphany-c11e8f1c77127a75a842ba3d9a75ade1b6ba9d2b.tar.zst gsoc2013-epiphany-c11e8f1c77127a75a842ba3d9a75ade1b6ba9d2b.zip |
ephy-web-view: fix use-after-free in get_file_content_as_base64()
image_type is owned by file_info, so we can't free file_info until
after we're done with image_type. Fixes crash when error page
is displayed. Valgrind trace:
==1916== Invalid read of size 1
==1916== at 0x38CBA7B328: _IO_default_xsputn (in /lib64/libc-2.14.90.so)
==1916== by 0x38CBA4B3A7: vfprintf (in /lib64/libc-2.14.90.so)
==1916== by 0x38CBB084B0: __vasprintf_chk (in /lib64/libc-2.14.90.so)
==1916== by 0x38CDA8A44A: g_vasprintf (stdio2.h:199)
==1916== by 0x38CDA69B0C: g_strdup_vprintf (gstrfuncs.c:509)
==1916== by 0x38CDA69BAB: g_strdup_printf (gstrfuncs.c:535)
==1916== by 0x47EA57: ephy_web_view_load_error_page (ephy-web-view.c:1978)
==1916== by 0x47F6B2: load_error_cb (ephy-web-view.c:2119)
==1916== by 0x38E8E7753F: webkit_marshal_BOOLEAN__OBJECT_STRING_POINTER (in /usr/lib64/libwebkitgtk-3.0.so.0.11.0)
==1916== by 0x38CEA11381: g_closure_invoke (gclosure.c:777)
==1916== by 0x38CEA23132: signal_emit_unlocked_R (gsignal.c:3547)
==1916== by 0x38CEA2AEE1: g_signal_emit_valist (gsignal.c:3306)
==1916== Address 0x4f02040 is 0 bytes inside a block of size 10 free'd
==1916== at 0x4A0662E: free (vg_replace_malloc.c:366)
==1916== by 0x38CDA5513E: g_free (gmem.c:252)
==1916== by 0x38D1255908: _g_file_attribute_value_clear (gfileattribute.c:245)
==1916== by 0x38D125A078: g_file_info_finalize (gfileinfo.c:324)
==1916== by 0x38CEA1670F: g_object_unref (gobject.c:3018)
==1916== by 0x47EA05: ephy_web_view_load_error_page (ephy-web-view.c:1974)
==1916== by 0x47F6B2: load_error_cb (ephy-web-view.c:2119)
==1916== by 0x38E8E7753F: webkit_marshal_BOOLEAN__OBJECT_STRING_POINTER (in /usr/lib64/libwebkitgtk-3.0.so.0.11.0)
==1916== by 0x38CEA11381: g_closure_invoke (gclosure.c:777)
==1916== by 0x38CEA23132: signal_emit_unlocked_R (gsignal.c:3547)
==1916== by 0x38CEA2AEE1: g_signal_emit_valist (gsignal.c:3306)
==1916== by 0x38CEA2BE83: g_signal_emit_by_name (gsignal.c:3389)
https://bugzilla.gnome.org/show_bug.cgi?id=677736
Diffstat (limited to 'embed/ephy-web-view.c')
-rw-r--r-- | embed/ephy-web-view.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/embed/ephy-web-view.c b/embed/ephy-web-view.c index e98e13d28..cf1efe31a 100644 --- a/embed/ephy-web-view.c +++ b/embed/ephy-web-view.c @@ -2070,9 +2070,6 @@ get_file_content_as_base64 (const char *path) NULL, NULL); image_type = g_file_info_get_content_type (file_info); - g_object_unref (file); - g_object_unref (file_info); - g_file_get_contents (path, &image_raw, &len, NULL); image_data = g_base64_encode ((guchar *) image_raw, len); image64 = g_strdup_printf ("data:%s;base64,%s", image_type, image_data); @@ -2080,6 +2077,9 @@ get_file_content_as_base64 (const char *path) g_free (image_raw); g_free (image_data); + g_object_unref (file); + g_object_unref (file_info); + return image64; } |