fix(flatpak): construct null-terminated array for arguments (#5213)

The variant format string `^aay` is said to be equivalent to `g_variant_new_bytestring_array`. Given that no length parameter is provided, glib assumed a null-terminated array, causing a crash as glib exceed the read boundaries to copy arbitrary memory. This commit replaces the array construction code to use its arena equivalents instead of glib, and make sure that the resulting array is null-terminated. Fixes #3616.
2025-01-20 10:22:18 -08:00 · 2025-01-20 10:22:18 -08:00 · c3ef4d2908
parent 0eb6f28375 ecad3e75ff
commit c3ef4d2908
1 changed files with 6 additions and 10 deletions
--- a/src/os/flatpak.zig
+++ b/src/os/flatpak.zig
@ -265,16 +265,12 @@ pub const FlatpakHostCommand = struct {
        }

        // Build our args
-        const args_ptr = c.g_ptr_array_new();
-        {
-            errdefer _ = c.g_ptr_array_free(args_ptr, 1);
-            for (self.argv) |arg| {
-                const argZ = try arena.dupeZ(u8, arg);
-                c.g_ptr_array_add(args_ptr, argZ.ptr);
-            }
+        const args = try arena.alloc(?[*:0]u8, self.argv.len + 1);
+        for (0.., self.argv) |i, arg| {
+            const argZ = try arena.dupeZ(u8, arg);
+            args[i] = argZ.ptr;
        }
-        const args = c.g_ptr_array_free(args_ptr, 0);
-        defer c.g_free(@as(?*anyopaque, @ptrCast(args)));
+        args[args.len - 1] = null;

        // Get the cwd in case we don't have ours set. A small optimization
        // would be to do this only if we need it but this isn't a
@ -286,7 +282,7 @@ pub const FlatpakHostCommand = struct {
        const params = c.g_variant_new(
            "(^ay^aay@a{uh}@a{ss}u)",
            @as(*const anyopaque, if (self.cwd) |*cwd| cwd.ptr else g_cwd),
-            args,
+            args.ptr,
            c.g_variant_builder_end(fd_builder),
            c.g_variant_builder_end(env_builder),
            @as(c_int, 0),