gcontenttype: Fix a potential NULL pointer dereference

If the initial part of the header (‘MIME-TreeMagic’) is valid, but the
following line does not start with ‘[’ (i.e. is not a valid section
line), insert_matchlet() will be called with a NULL match pointer, and
will crash with a NULL pointer dereference.

Fix this by bailing out if a valid section line isn’t encountered before
the first insert_matchlet() call (i.e. between the header line and the
first data line).

Note that this has not been tested against a real treemagic file; the
fix is purely theoretical.

Found by scan-build.

https://bugzilla.gnome.org/show_bug.cgi?id=113075

diff --git a/gio/gcontenttype.c b/gio/gcontenttype.c
index d54f042..8734e7f 100644 (file)
--- a/gio/gcontenttype.c
+++ b/gio/gcontenttype.c
@@ -1032,11 +1032,16 @@ read_tree_magic_from_directory (const gchar *prefix)
                   match = parse_header (lines[i]);
                   insert_match (match);
                 }
-              else
+              else if (match != NULL)
                 {
                   matchlet = parse_match_line (lines[i], &depth);
                   insert_matchlet (match, matchlet, depth);
                 }
+              else
+                {
+                  g_warning ("%s: header corrupt; skipping\n", filename);
+                  break;
+                }
             }
 
           g_strfreev (lines);