From f0e34498a2f2e2ec6644a3af47c1b56ac5b6dec3 Mon Sep 17 00:00:00 2001 From: Ernestas Kulik Date: Thu, 2 Aug 2018 22:29:03 +0300 Subject: [PATCH] clipboard: Prevent crash when selection data is empty Somehow, magically, it can happen that the clipboard contains an empty string, which wreaks havoc in convert_selection_data_to_str_list(), since the loop counter goes from 0 to the number of lines in the data string minus one. This commit adds a check for the number of lines and returns early. Additionally, this introduces automatic cleanup for a variable and fixes mismatched types. --- src/nautilus-clipboard.c | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/src/nautilus-clipboard.c b/src/nautilus-clipboard.c index 752ff131f..2a77cf28f 100644 --- a/src/nautilus-clipboard.c +++ b/src/nautilus-clipboard.c @@ -42,23 +42,29 @@ typedef struct static GList * convert_selection_data_to_str_list (const gchar *data) { - int i; + g_auto (GStrv) lines; + guint number_of_lines; GList *result; - size_t number_of_lines; - gchar **lines; lines = g_strsplit (data, "\n", 0); - result = NULL; number_of_lines = g_strv_length (lines); + if (number_of_lines == 0) + { + /* An empty string will result in g_strsplit() returning an empty + * array, so, naturally, 0 - 1 = UINT32_MAX and we read all sorts + * of invalid memory. + */ + return NULL; + } + result = NULL; + /* Also, this skips the last line, since it would be an * empty string from the split */ - for (i = 0; i < number_of_lines - 1; i++) + for (guint i = 0; i < number_of_lines - 1; i++) { result = g_list_prepend (result, g_strdup (lines[i])); } - g_strfreev (lines); - return g_list_reverse (result); } -- 2.17.2