From be7f40185fb2ce884112c1f8a4b196ea65350466 Mon Sep 17 00:00:00 2001
From: Kalev Lember <kalevlember@gmail.com>
Date: Sat, 21 Sep 2013 13:52:09 +0200
Subject: [PATCH] xdgmime: Fix an invalid read

This commit factors out a function for comparing string suffixes, and at
the same time makes it safe for mime types that are shorter than the
"/*" suffix.

==25418== Invalid read of size 1
==25418==    at 0x3C6D0F9D22: __gio_xdg_cache_mime_type_subclass (xdgmimecache.c:848)
==25418==    by 0x3C6D09ED8C: g_content_type_is_a (gcontenttype.c:158)
==25418==    by 0x34D8031E95: gtk_recent_filter_filter (gtkrecentfilter.c:733)
==25418==    by 0x34D802F167: _gtk_recent_chooser_get_items (gtkrecentchooserutils.c:387)
==25418==    by 0x34D802D07F: idle_populate_func (gtkrecentchoosermenu.c:1011)
==25418==    by 0x34D7A20477: gdk_threads_dispatch (gdk.c:804)
==25418==    by 0x3C6C0492F5: g_main_context_dispatch (gmain.c:3065)
==25418==    by 0x3C6C049677: g_main_context_iterate.isra.23 (gmain.c:3712)
==25418==    by 0x3C6C04972B: g_main_context_iteration (gmain.c:3773)
==25418==    by 0x34D7FC2AF4: gtk_main_iteration (gtkmain.c:1262)
==25418==    by 0x408EB4: main (in /usr/bin/glade)

https://bugzilla.gnome.org/show_bug.cgi?id=708529
---
 gio/xdgmime/xdgmime.c      | 19 ++++++++++++++-----
 gio/xdgmime/xdgmimecache.c | 19 ++++++++++++++-----
 2 files changed, 28 insertions(+), 10 deletions(-)

diff --git a/gio/xdgmime/xdgmime.c b/gio/xdgmime/xdgmime.c
index 846be39..f73b7f2 100644
--- a/gio/xdgmime/xdgmime.c
+++ b/gio/xdgmime/xdgmime.c
@@ -741,19 +741,28 @@ xdg_mime_media_type_equal (const char *mime_a,
 
 #if 1
 static int
-xdg_mime_is_super_type (const char *mime)
+ends_with (const char *str,
+           const char *suffix)
 {
   int length;
-  const char *type;
+  int suffix_length;
 
-  length = strlen (mime);
-  type = &(mime[length - 2]);
+  length = strlen (str);
+  suffix_length = strlen (suffix);
+  if (length < suffix_length)
+    return 0;
 
-  if (strcmp (type, "/*") == 0)
+  if (strcmp (str + length - suffix_length, suffix) == 0)
     return 1;
 
   return 0;
 }
+
+static int
+xdg_mime_is_super_type (const char *mime)
+{
+  return ends_with (mime, "/*");
+}
 #endif
 
 int
diff --git a/gio/xdgmime/xdgmimecache.c b/gio/xdgmime/xdgmimecache.c
index 87a3cd0..3a64deb 100644
--- a/gio/xdgmime/xdgmimecache.c
+++ b/gio/xdgmime/xdgmimecache.c
@@ -837,19 +837,28 @@ _xdg_mime_cache_get_mime_types_from_file_name (const char *file_name,
 
 #if 1
 static int
-is_super_type (const char *mime)
+ends_with (const char *str,
+           const char *suffix)
 {
   int length;
-  const char *type;
+  int suffix_length;
 
-  length = strlen (mime);
-  type = &(mime[length - 2]);
+  length = strlen (str);
+  suffix_length = strlen (suffix);
+  if (length < suffix_length)
+    return 0;
 
-  if (strcmp (type, "/*") == 0)
+  if (strcmp (str + length - suffix_length, suffix) == 0)
     return 1;
 
   return 0;
 }
+
+static int
+is_super_type (const char *mime)
+{
+  return ends_with (mime, "/*");
+}
 #endif
 
 int
-- 
2.7.4