From f0e34498a2f2e2ec6644a3af47c1b56ac5b6dec3 Mon Sep 17 00:00:00 2001
From: Ernestas Kulik <ernestask@gnome.org>
Date: Thu, 2 Aug 2018 22:29:03 +0300
Subject: [PATCH] clipboard: Prevent crash when selection data is empty
Somehow, magically, it can happen that the clipboard contains an empty
string, which wreaks havoc in convert_selection_data_to_str_list(),
since the loop counter goes from 0 to the number of lines in the data
string minus one. This commit adds a check for the number of lines and
returns early. Additionally, this introduces automatic cleanup for a
variable and fixes mismatched types.
---
src/nautilus-clipboard.c | 20 +++++++++++++-------
1 file changed, 13 insertions(+), 7 deletions(-)
diff --git a/src/nautilus-clipboard.c b/src/nautilus-clipboard.c
index 752ff131f..2a77cf28f 100644
--- a/src/nautilus-clipboard.c
+++ b/src/nautilus-clipboard.c
@@ -42,23 +42,29 @@ typedef struct
static GList *
convert_selection_data_to_str_list (const gchar *data)
{
- int i;
+ g_auto (GStrv) lines;
+ guint number_of_lines;
GList *result;
- size_t number_of_lines;
- gchar **lines;
lines = g_strsplit (data, "\n", 0);
- result = NULL;
number_of_lines = g_strv_length (lines);
+ if (number_of_lines == 0)
+ {
+ /* An empty string will result in g_strsplit() returning an empty
+ * array, so, naturally, 0 - 1 = UINT32_MAX and we read all sorts
+ * of invalid memory.
+ */
+ return NULL;
+ }
+ result = NULL;
+
/* Also, this skips the last line, since it would be an
* empty string from the split */
- for (i = 0; i < number_of_lines - 1; i++)
+ for (guint i = 0; i < number_of_lines - 1; i++)
{
result = g_list_prepend (result, g_strdup (lines[i]));
}
- g_strfreev (lines);
-
return g_list_reverse (result);
}
--
2.17.2