[prev in list] [next in list] [prev in thread] [next in thread]
List: freedesktop-dbus
Subject: [RFC-PATCH] uninitialized variable in dbus_g_proxy_end_call_internal
From: Chia-I Wu <olvaffe () gmail ! com>
Date: 2007-12-31 20:31:46
Message-ID: 20071231203131.GA3020 () m500 ! domain
[Download RAW message or body]
Hi all,
In dbus_g_proxy_end_call_internal of libdbus-glib, args_unwind is used
uninitialized. Other than that, va_end is called on args while it
should not. This patch fixes the two issues.
A third issue is that, when dbus message has more arguments than
expected, the processed arguments should not be freed unconditionally.
They should be restored back to GValue and g_value_unset'ed. A variant
of _dbus_gvalue_take may do the job, but it seems very hacky. I choose
to leave the processed arguments untouched (leaks!). Is it ok?
--
Regards,
olv
["dbus_g_proxy_end_call_internal-uninitialized-variable.patch" (text/x-diff)]
diff --git a/dbus/dbus-gproxy.c b/dbus/dbus-gproxy.c
index 3d5a0c5..85d16c0 100644
--- a/dbus/dbus-gproxy.c
+++ b/dbus/dbus-gproxy.c
@@ -2223,6 +2223,7 @@ dbus_g_proxy_end_call_internal (DBusGProxy *proxy,
g_assert (reply != NULL);
dbus_error_init (&derror);
+ G_VA_COPY(args_unwind, args);
switch (dbus_message_get_type (reply))
{
@@ -2319,18 +2320,22 @@ dbus_g_proxy_end_call_internal (DBusGProxy *proxy,
ret = TRUE;
out:
- va_end (args);
if (ret == FALSE)
{
int i;
+
+ valtype = first_arg_type;
for (i = 0; i < n_retvals_processed; i++)
{
- gpointer retval;
+ GValue gvalue = { 0, };
+
+ g_value_init (&gvalue, valtype);
- retval = va_arg (args_unwind, gpointer);
+ /* FIXME how to free the value? */
+ va_arg (args_unwind, gpointer);
- g_free (retval);
+ valtype = va_arg (args_unwind, GType);
}
}
va_end (args_unwind);
_______________________________________________
dbus mailing list
dbus@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/dbus
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic