gtkcssprovider: Fix sorting of custom property IDs on 64-bit big-endian

This function is used to sort a GPtrArray of "pointers" which are actually GINT_TO_POINTER (id), so a and b are pointers to pointer-sized quantities. Previously it was assuming that both were int-sized quantities, dereferencing them to get the first sizeof(int) bytes, and then redundantly casting those bytes to int. However, on a 64-bit big-endian platform, the first few bytes of a larger-than-int quantity are the most significant part, in practice 0, causing an out-of-bounds array access and a crash. This was visible in the `gtk:css / parser variables.css` automated test. Bug-Debian: https://bugs.debian.org/1079546 Signed-off-by: Simon McVittie <smcv@debian.org>
2024-09-19 21:40:22 +00:00 · 2024-08-31 02:26:57 +01:00 · 2024-08-31 02:26:57 +01:00 · a524524ffd
commit a524524ffd
parent 3ef1f448a3
1 changed files with 6 additions and 4 deletions
--- a/gtk/gtkcssprovider.c
+++ b/gtk/gtkcssprovider.c
@ -1660,16 +1660,18 @@ compare_properties (gconstpointer a, gconstpointer b, gpointer style)
                 _gtk_style_property_get_name (GTK_STYLE_PROPERTY (styles[*ub].property)));
 }

+/* This is looking into a GPtrArray where each "pointer" is actually
+ * GINT_TO_POINTER (id), so a and b are pointers to pointer-sized quantities */
 static int
 compare_custom_properties (gconstpointer a, gconstpointer b, gpointer user_data)
 {
  GtkCssCustomPropertyPool *pool = user_data;
-  int id1 = GPOINTER_TO_INT (*((const int *) a));
-  int id2 = GPOINTER_TO_INT (*((const int *) b));
+  const void * const *ap = a;
+  const void * const *bp = b;
  const char *name1, *name2;

-  name1 = gtk_css_custom_property_pool_get_name (pool, id1);
-  name2 = gtk_css_custom_property_pool_get_name (pool, id2);
+  name1 = gtk_css_custom_property_pool_get_name (pool, GPOINTER_TO_INT (*ap));
+  name2 = gtk_css_custom_property_pool_get_name (pool, GPOINTER_TO_INT (*bp));

  return strcmp (name1, name2);
 }