Opened 5 years ago

Closed 5 years ago

Last modified 4 years ago

#14392 closed patch (fixed)

get_iter_from_chatbuddy can dereference NULL pointer

Reported by: clh Owned by:
Milestone: 2.10.2 Component: pidgin (gtk)
Version: 2.9.0 Keywords: get_iter_from_chatbuddy NULL
Cc:

Description (last modified by clh)

If we look at pidgin_conv_chat_rename_user():

...
        old_cbuddy = purple_conv_chat_cb_find(chat, old_name);
        if (get_iter_from_chatbuddy(old_cbuddy, &iter)) {
...
        }
...
        if (!old_cbuddy)
                return;
...

We see that purple_conv_chat_cb_find() can return NULL, there is even a check for it. However, before the check we use the return as argument for get_iter_from_chatbuddy() which will dereference the pointer without checking for NULL:

 static gboolean get_iter_from_chatbuddy(PurpleConvChatBuddy *cb, GtkTreeIter *iter)
{
        GtkTreeRowReference *ref = cb->ui_data;

The same happens in pidgin_conv_chat_update_user().

My suggested fix would be checking the argument in get_iter_from_chatbuddy():

 static gboolean get_iter_from_chatbuddy(PurpleConvChatBuddy *cb, GtkTreeIter *iter)
 {
-       GtkTreeRowReference *ref = cb->ui_data;
+       GtkTreeRowReference *ref;
        GtkTreePath *path;
        GtkTreeModel *model;
 
+       if (!cb)
+               return FALSE;
+
+       ref = cb->ui_data;
+
        if (!ref)
                return FALSE;

This was introduced in 2.9.0, as the code didn't exist before.

Change History (5)

comment:1 Changed 5 years ago by clh

  • Description modified (diff)

comment:2 Changed 5 years ago by clh

  • Description modified (diff)
  • Summary changed from pidgin_conv_chat_rename_user can dereference NULL pointer to get_iter_from_chatbuddy can dereference NULL pointer

comment:3 Changed 5 years ago by QuLogic

  • Milestone set to Patches Needing Review
  • Type changed from defect to patch

comment:4 Changed 5 years ago by qulogic@…

  • Milestone changed from Patches Needing Review to 3.0.0
  • Resolution set to fixed
  • Status changed from new to closed

(In d1d77da56217f3a083e1d459bef054db9f1d5699):
Rearrange code to prevent a NULL-deference. Thanks to clh for pointing out this issue.

Closes #14392.

comment:5 Changed 4 years ago by markdoliner@…

  • Milestone changed from 3.0.0 to 2.10.2

(In e30e044988add329e86eaf06a2f6ab1b3c5c47bb):
* Plucked d1d77da56217f3a083e1d459bef054db9f1d5699 (qulogic@…): Rearrange code to prevent a NULL-deference. Thanks to clh for pointing out this issue.

Closes #14392.

Note: See TracTickets for help on using tickets.
All information, including names and email addresses, entered onto this website or sent to mailing lists affiliated with this website will be public. Do not post confidential information, especially passwords!