File xfdesktop-4.10.0-fix-use-after-free.patch of Package xfdesktop
Tooltip of a desktop file with empty Comment= field shows as
"EEEEEEEEEEEEEEEEEEEEE..." which hints at a use-after-free as the
area is poisoned by glibc after free().
Valgrind then showed this:
==4111== Invalid read of size 1
==4111== at 0x8413316: vfprintf (in /lib64/libc-2.15.so)
==4111== by 0x84C6380: __vasprintf_chk (in /lib64/libc-2.15.so)
==4111== by 0x7F3FC2A: g_vasprintf (in /usr/lib64/libglib-2.0.so.0.3200.3)
==4111== by 0x7F1FBFC: g_strdup_vprintf (in /usr/lib64/libglib-2.0.so.0.3200.3)
==4111== by 0x7F1FC9B: g_strdup_printf (in /usr/lib64/libglib-2.0.so.0.3200.3)
==4111== by 0x434087: xfdesktop_regular_file_icon_peek_tooltip (xfdesktop-regular-file-icon.c:577)
==4111== by 0x41F6C4: xfdesktop_icon_view_show_tooltip (xfdesktop-icon-view.c:1049)
==4111== by 0x659FB80: ??? (in /usr/lib64/libgtk-x11-2.0.so.0.2400.10)
==4111== by 0x7C7C70F: g_closure_invoke (in /usr/lib64/libgobject-2.0.so.0.3200.3)
==4111== by 0x7C8D78F: ??? (in /usr/lib64/libgobject-2.0.so.0.3200.3)
==4111== by 0x7C9532A: g_signal_emit_valist (in /usr/lib64/libgobject-2.0.so.0.3200.3)
==4111== by 0x7C95DAF: g_signal_emit_by_name (in /usr/lib64/libgobject-2.0.so.0.3200.3)
==4111== Address 0x13301768 is 72 bytes inside a block of size 4,096 free'd
==4111== at 0x4C29D4E: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==4111== by 0x7F23377: g_string_chunk_free (in /usr/lib64/libglib-2.0.so.0.3200.3)
==4111== by 0x60494F6: xfce_rc_close (xfce-rc.c:166)
==4111== by 0x434039: xfdesktop_regular_file_icon_peek_tooltip (xfdesktop-regular-file-icon.c:567)
==4111== by 0x41F6C4: xfdesktop_icon_view_show_tooltip (xfdesktop-icon-view.c:1049)
==4111== by 0x659FB80: ??? (in /usr/lib64/libgtk-x11-2.0.so.0.2400.10)
==4111== by 0x7C7C70F: g_closure_invoke (in /usr/lib64/libgobject-2.0.so.0.3200.3)
==4111== by 0x7C8D78F: ??? (in /usr/lib64/libgobject-2.0.so.0.3200.3)
==4111== by 0x7C9532A: g_signal_emit_valist (in /usr/lib64/libgobject-2.0.so.0.3200.3)
==4111== by 0x7C95DAF: g_signal_emit_by_name (in /usr/lib64/libgobject-2.0.so.0.3200.3)
==4111== by 0x6674F97: ??? (in /usr/lib64/libgtk-x11-2.0.so.0.2400.10)
==4111== by 0x6675C53: ??? (in /usr/lib64/libgtk-x11-2.0.so.0.2400.10)
This is the patch I came up with:
Index: b/src/xfdesktop-regular-file-icon.c
===================================================================
--- a/src/xfdesktop-regular-file-icon.c
+++ b/src/xfdesktop-regular-file-icon.c
@@ -550,10 +550,14 @@ xfdesktop_regular_file_icon_peek_tooltip
mtime = g_file_info_get_attribute_uint64(info,
G_FILE_ATTRIBUTE_TIME_MODIFIED);
time_string = xfdesktop_file_utils_format_time_for_display(mtime);
+ regular_file_icon->priv->tooltip =
+ g_strdup_printf(_("Type: %s\nSize: %s\nLast modified: %s"),
+ description, size_string, time_string);
+
/* Extract the Comment entry from the .desktop file */
if(is_desktop_file)
{
gchar *path = g_file_get_path(regular_file_icon->priv->file);
XfceRc *rcfile = xfce_rc_simple_open(path, TRUE);
@@ -561,27 +565,22 @@ xfdesktop_regular_file_icon_peek_tooltip
if(rcfile) {
xfce_rc_set_group(rcfile, "Desktop Entry");
comment = xfce_rc_read_entry(rcfile, "Comment", NULL);
}
+ /* Prepend the comment to the tooltip */
+ if(comment != NULL) {
+ gchar *tooltip = regular_file_icon->priv->tooltip;
+ regular_file_icon->priv->tooltip = g_strdup_printf("%s\n%s",
+ comment,
+ tooltip);
+ g_free(tooltip);
+ }
xfce_rc_close(rcfile);
}
- regular_file_icon->priv->tooltip =
- g_strdup_printf(_("Type: %s\nSize: %s\nLast modified: %s"),
- description, size_string, time_string);
-
- /* Prepend the comment to the tooltip */
- if(is_desktop_file && comment != NULL) {
- gchar *tooltip = regular_file_icon->priv->tooltip;
- regular_file_icon->priv->tooltip = g_strdup_printf("%s\n%s",
- comment,
- tooltip);
- g_free(tooltip);
- }
-
g_free(time_string);
g_free(size_string);
g_free(description);
}
