|
|
be1019 |
From 3f62e9fbd3de11df52184ca8dfcabfb7d1c0fdeb Mon Sep 17 00:00:00 2001
|
|
|
be1019 |
From: Robert Tiemann <rtie@gmx.de>
|
|
|
be1019 |
Date: Fri, 17 May 2019 12:43:04 +0200
|
|
|
be1019 |
Subject: [PATCH] Avoid possible crash when getting server properties.
|
|
|
be1019 |
|
|
|
be1019 |
The crash occurs when calling dls_device_get_all_props() for a content
|
|
|
be1019 |
directory server that we have not yet subscribed to (that is,
|
|
|
be1019 |
prv_cds_subscribed() returns FALSE in
|
|
|
be1019 |
prv_get_system_update_id_for_props()). This crash is caused by an
|
|
|
be1019 |
invalid GVariantBuilder passed to g_variant_builder_end() in
|
|
|
be1019 |
prv_get_sleeping_for_props(), leading to a NULL result pointer being
|
|
|
be1019 |
passed to dls_async_task_complete(). A GVariant is attempted to be
|
|
|
be1019 |
constructed from this NULL pointer in dls_task_complete().
|
|
|
be1019 |
|
|
|
be1019 |
Here is the call chain that leads to the crash:
|
|
|
be1019 |
|
|
|
be1019 |
dls_device_get_all_props()
|
|
|
be1019 |
prv_get_system_update_id_for_props()
|
|
|
be1019 |
gupnp_service_proxy_begin_action("GetSystemUpdateID") -> prv_system_update_id_for_props_cb()
|
|
|
be1019 |
prv_system_update_id_for_props_cb()
|
|
|
be1019 |
prv_get_sr_token_for_props()
|
|
|
be1019 |
prv_get_sleeping_for_props()
|
|
|
be1019 |
dls_async_task_complete()
|
|
|
be1019 |
cb_data->cb() -> prv_async_task_complete()
|
|
|
be1019 |
prv_async_task_complete()
|
|
|
be1019 |
dls_task_complete()
|
|
|
be1019 |
g_variant_new()
|
|
|
be1019 |
|
|
|
be1019 |
The crash was most likely observed when a device running Plex Media
|
|
|
be1019 |
Server was present on the network.
|
|
|
be1019 |
|
|
|
be1019 |
This commit moves the call of g_variant_builder_end() in
|
|
|
be1019 |
prv_system_update_id_for_props_cb() (which invalidates the
|
|
|
be1019 |
GVariantBuilder used later in prv_get_sleeping_for_props()) to the
|
|
|
be1019 |
error handling branch. This leaves the GVariantBuilder alone and
|
|
|
be1019 |
allows prv_get_sr_token_for_props() or one of its descendants to call
|
|
|
be1019 |
g_variant_builder_end() and complete the task.
|
|
|
be1019 |
---
|
|
|
be1019 |
libdleyna/server/device.c | 5 ++---
|
|
|
be1019 |
1 file changed, 2 insertions(+), 3 deletions(-)
|
|
|
be1019 |
|
|
|
be1019 |
diff --git a/libdleyna/server/device.c b/libdleyna/server/device.c
|
|
|
be1019 |
index d77dfbc2725b..8777da0ea2db 100644
|
|
|
be1019 |
--- a/libdleyna/server/device.c
|
|
|
be1019 |
+++ b/libdleyna/server/device.c
|
|
|
be1019 |
@@ -2256,15 +2256,14 @@ static void prv_system_update_id_for_props_cb(GUPnPServiceProxy *proxy,
|
|
|
be1019 |
DLS_SYSTEM_UPDATE_VAR,
|
|
|
be1019 |
g_variant_new_uint32(id));
|
|
|
be1019 |
|
|
|
be1019 |
- cb_data->task.result = g_variant_ref_sink(g_variant_builder_end(
|
|
|
be1019 |
- cb_task_data->vb));
|
|
|
be1019 |
-
|
|
|
be1019 |
on_complete:
|
|
|
be1019 |
|
|
|
be1019 |
if (!cb_data->error)
|
|
|
be1019 |
prv_get_sr_token_for_props(proxy, cb_data->task.target.device,
|
|
|
be1019 |
cb_data);
|
|
|
be1019 |
else {
|
|
|
be1019 |
+ cb_data->task.result = g_variant_ref_sink(g_variant_builder_end(
|
|
|
be1019 |
+ cb_task_data->vb));
|
|
|
be1019 |
(void) g_idle_add(dls_async_task_complete, cb_data);
|
|
|
be1019 |
g_cancellable_disconnect(cb_data->cancellable,
|
|
|
be1019 |
cb_data->cancel_id);
|
|
|
be1019 |
--
|
|
|
be1019 |
2.28.0
|
|
|
be1019 |
|