Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 524956 - media-gfx/rawstudio-2.0 - segmentation fault in g_type_name() at line 839 of rs-batch.c
Summary: media-gfx/rawstudio-2.0 - segmentation fault in g_type_name() at line 839 of ...
Status: RESOLVED WONTFIX
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: AMD64 Linux
: Normal normal (vote)
Assignee: Gentoo Graphics Project
URL:
Whiteboard:
Keywords: PATCH
Depends on:
Blocks:
 
Reported: 2014-10-10 13:45 UTC by Marek Szuba (RETIRED)
Modified: 2015-02-03 14:31 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
rawstudio-2.0-gtype_is_size_not_int.patch (rawstudio-2.0-gtype_is_size_not_int.patch,791 bytes, patch)
2014-10-10 13:46 UTC, Marek Szuba (RETIRED) 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marek Szuba (RETIRED) archtester gentoo-dev 2014-10-10 13:45:32 UTC 
Hello,

When installed on an AMD64 system, rawstudio dies with a segmentation fault shortly after being launched. A quick check using gdb reveals that the segfault occurs in the GLib function g_type_name(), invoked on line 839 of rs-batch.c (function filetype_changed()).

Having looked into the matter further, I have found out the following. g_type_name() expects its argument to be of the type GType, which is an alias for either size_t or unsigned long*. An appropriate argument is passed to filetype_changed() indirectly, via a pointer, then dereferenced using the GLib macro GPOINTER_TO_INT(), which as the name suggests returns a signed int. Leaving the fact we have just happily cast an unsigned integer to a signed one aside, the problem occurs if, as for Linux/AMD64, sizeof(size_t) != sizeof(int). If that is the case the argument passed to g_type_name() gets truncated to sizeof(int). Combine that with the fact that as GLib documentation clearly states, g_type_name() performs no input validation - and you've got a segmentation fault.

Nota bene, a related problem occurs in the function make_batch_option(), in line 1087 of rs-batch.c - where a GType return value of g_type_from_name() is converted to a pointer FROM UNSIGNED INT.

The easiest way of fixing this problem is to use GPOINTER_TO_SIZE() in line 833 and GSIZE_TO_POINTER() in line 1087 of rs-batch.c instead of, respectively, GPOINTER_TO_INT() and GUINT_TO_POINTER(); please find enclosed a patch which implements this change. Mind you, this may still not be the right way of doing this - I've got no experience with GLib programming but it feels to me that there should be some way working with GType directly instead of replacing the "GType is unsigned int" assumption with the "GType is size_t" one.

BTW. I've just had a look at Rawstudio SVN trunk to see whether the problem has been fixed upstream. Line 1087 (now 1052) hasn't been touched, line 833 (now 798) now converts gpointer to GType by... casting it to the latter without dereferencing. Seriously. Anyway, my point here is that there has been no upstream fix. I will post a bug report there some time soon.

As always, please let me know should you need any more information.

-- 
MS
Comment 1 Marek Szuba (RETIRED) archtester gentoo-dev 2014-10-10 13:46:21 UTC 
Created attachment 386380 [details, diff]
rawstudio-2.0-gtype_is_size_not_int.patch
Comment 2 Pacho Ramos gentoo-dev 2015-02-03 14:31:59 UTC 
dropped