Invalid read in read_pnp_ids
Steps to reproduce
- Run
valgrind /usr/bin/xfsettingsd --replace
Valgrind trace
Invalid read of size 1
at 0x121ECC: UnknownInlinedFun (display-name.c:2590)
by 0x121ECC: UnknownInlinedFun (display-name.c:2610)
by 0x121ECC: make_display_name (display-name.c:2637)
by 0x125411: UnknownInlinedFun (xfce-randr.c:575)
by 0x125411: xfce_randr_populate (xfce-randr.c:259)
by 0x125912: xfce_randr_new (xfce-randr.c:308)
by 0x125A1D: xfce_displays_helper_x11_init (displays-x11.c:213)
by 0x54434F8: g_type_create_instance (gtype.c:1901)
by 0x5428727: g_object_new_internal.part.0 (gobject.c:2614)
by 0x5429DA6: UnknownInlinedFun (gobject.c:2611)
by 0x5429DA6: g_object_new_with_properties (gobject.c:2777)
by 0x542AE01: g_object_new (gobject.c:2423)
by 0x11DA10: on_name_acquired (main.c:141)
by 0x533F86C: UnknownInlinedFun (gdbusnameowning.c:153)
by 0x533F86C: do_call.lto_priv.0 (gdbusnameowning.c:205)
by 0x533FA99: UnknownInlinedFun (gdbusnameowning.c:219)
by 0x533FA99: UnknownInlinedFun (gdbusnameowning.c:210)
by 0x533FA99: UnknownInlinedFun (gdbusnameowning.c:286)
by 0x533FA99: on_name_lost_or_acquired (gdbusnameowning.c:250)
by 0x5337478: emit_signal_instance_in_idle_cb (gdbusconnection.c:4207)
by 0x54C2103: g_main_dispatch.lto_priv.0 (gmain.c:3398)
by 0x5525D56: UnknownInlinedFun (gmain.c:4249)
by 0x5525D56: g_main_context_iterate_unlocked.isra.0 (gmain.c:4314)
by 0x54C2DE6: g_main_loop_run (gmain.c:4516)
by 0x4D7EDFE: gtk_main (gtkmain.c:1329)
by 0x112468: main (main.c:349)
Address 0xc293683 is 2 bytes after a block of size 1 alloc'd
at 0x48457A8: malloc (vg_replace_malloc.c:446)
by 0x54C7D0A: g_malloc (gmem.c:100)
by 0x54DE51A: g_strdup (gstrfuncs.c:323)
by 0x54EA1DE: UnknownInlinedFun (gstrfuncs.h:321)
by 0x54EA1DE: g_strsplit (gstrfuncs.c:2428)
by 0x121E95: UnknownInlinedFun (display-name.c:2586)
by 0x121E95: UnknownInlinedFun (display-name.c:2610)
by 0x121E95: make_display_name (display-name.c:2637)
by 0x125411: UnknownInlinedFun (xfce-randr.c:575)
by 0x125411: xfce_randr_populate (xfce-randr.c:259)
by 0x125912: xfce_randr_new (xfce-randr.c:308)
by 0x125A1D: xfce_displays_helper_x11_init (displays-x11.c:213)
by 0x54434F8: g_type_create_instance (gtype.c:1901)
by 0x5428727: g_object_new_internal.part.0 (gobject.c:2614)
by 0x5429DA6: UnknownInlinedFun (gobject.c:2611)
by 0x5429DA6: g_object_new_with_properties (gobject.c:2777)
by 0x542AE01: g_object_new (gobject.c:2423)
by 0x11DA10: on_name_acquired (main.c:141)
by 0x533F86C: UnknownInlinedFun (gdbusnameowning.c:153)
by 0x533F86C: do_call.lto_priv.0 (gdbusnameowning.c:205)
by 0x533FA99: UnknownInlinedFun (gdbusnameowning.c:219)
by 0x533FA99: UnknownInlinedFun (gdbusnameowning.c:210)
by 0x533FA99: UnknownInlinedFun (gdbusnameowning.c:286)
by 0x533FA99: on_name_lost_or_acquired (gdbusnameowning.c:250)
by 0x5337478: emit_signal_instance_in_idle_cb (gdbusconnection.c:4207)
by 0x54C2103: g_main_dispatch.lto_priv.0 (gmain.c:3398)
by 0x5525D56: UnknownInlinedFun (gmain.c:4249)
by 0x5525D56: g_main_context_iterate_unlocked.isra.0 (gmain.c:4314)
by 0x54C2DE6: g_main_loop_run (gmain.c:4516)
by 0x4D7EDFE: gtk_main (gtkmain.c:1329)
by 0x112468: main (main.c:349)Debugging info
read_pnp_ids splits the /usr/share/hwdata/pnp.ids file on \n characters with g_strsplit. The pnp.ids file ends with a newline, so the last element in the array is an empty string, which leads to an invalid read here:
(gdb) f
#0 read_pnp_ids () at ../common/display-name.c:2590
2590 if (line[3] == '\t')
(gdb) p line
$16 = (gchar *) 0xc293680 ""
(gdb) call g_strsplit(contents, "\n", -1)[2556]
$18 = (gchar *) 0xcd74970 "ZZZ\tBoca Research Inc"
(gdb) call g_strsplit(contents, "\n", -1)[2557]
$19 = (gchar *) 0xcdc0fe0 ""Version info
xfce4-settings 4.20.1-1 on Arch Linux