In the source code update-notifier_3.192.40.tar.xz, when there is file
/var/lib/update-notifier/user.d/incomplete-language-support-gnome.note.
In hooks.c, at line 108, when the file test is true, the program will execute
"goto out" at line 112.
Then at line 137, pathdirs is in uninitialized state and triggers a
segmentation fault in g_strfreev().
if(cargv[0][0] == '/' &&
g_file_test(cargv[0], G_FILE_TEST_EXISTS|G_FILE_TEST_IS_EXECUTABLE)) {
result = TRUE;
g_debug_hooks("command exists");
goto out; // THIS IS EXECUTED
}
g_debug_hooks("'%s' is not a valid absolute path", cargv[0]);
gchar **pathdirs = g_strsplit(getenv("PATH"), ":", 100);
if(!pathdirs) goto out;
for(int i = 0; pathdirs[i] != NULL; i++) {
gchar *pathdir = pathdirs[i];
char *fname = g_strdup_printf("%s/%s", pathdir, cargv[0]);
if(g_file_test(fname, G_FILE_TEST_EXISTS|G_FILE_TEST_IS_EXECUTABLE)) {
g_debug_hooks("command exists at '%s'", fname);
g_free(fname);
result = TRUE;
goto out;
}
g_free(fname);
}
g_debug_hooks("failed to find command in PATH");
out:
if(error) g_error_free(error);
if(cargv) g_strfreev(cargv);
if(pathdirs) g_strfreev(pathdirs); // THIS IS THE CRASH SITE BECAUSE
pathdirs IS IN UNINITIALIZED STATE.
if(unquoted) g_free(unquoted);
return result;--
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
