Skip to content

Commit d9d53a8

Browse files
oleavroleavr
committed
service: Fix Service.request() GVariant lifetime
The variant unmarshal helpers returned floating GVariants. When these values were stored in containers, the floating reference was consumed. Service.request() later unref'd the same GVariant, leading to refcount underflow and memory corruption, or appearing to work by accident when the memory was not yet reused. Ensure all unmarshalled GVariants are non-floating before returning them so that Service.request() always owns a full reference.
1 parent dfb002d commit d9d53a8

File tree

1 file changed

+10
-8
lines changed

1 file changed

+10
-8
lines changed

frida/_frida/extension.c

Lines changed: 10 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -1886,14 +1886,14 @@ PyGObject_unmarshal_variant (PyObject * value, GVariant ** variant)
18861886

18871887
PyGObject_unmarshal_string (value, &str);
18881888

1889-
*variant = g_variant_new_take_string (str);
1889+
*variant = g_variant_ref_sink (g_variant_new_take_string (str));
18901890

18911891
return TRUE;
18921892
}
18931893

18941894
if (PyBool_Check (value))
18951895
{
1896-
*variant = g_variant_new_boolean (value == Py_True);
1896+
*variant = g_variant_ref_sink (g_variant_new_boolean (value == Py_True));
18971897

18981898
return TRUE;
18991899
}
@@ -1906,14 +1906,14 @@ PyGObject_unmarshal_variant (PyObject * value, GVariant ** variant)
19061906
if (l == -1 && PyErr_Occurred ())
19071907
return FALSE;
19081908

1909-
*variant = g_variant_new_int64 (l);
1909+
*variant = g_variant_ref_sink (g_variant_new_int64 (l));
19101910

19111911
return TRUE;
19121912
}
19131913

19141914
if (PyFloat_Check (value))
19151915
{
1916-
*variant = g_variant_new_double (PyFloat_AsDouble (value));
1916+
*variant = g_variant_ref_sink (g_variant_new_double (PyFloat_AsDouble (value)));
19171917

19181918
return TRUE;
19191919
}
@@ -1927,7 +1927,7 @@ PyGObject_unmarshal_variant (PyObject * value, GVariant ** variant)
19271927
PyBytes_AsStringAndSize (value, &buffer, &length);
19281928

19291929
copy = g_memdup2 (buffer, length);
1930-
*variant = g_variant_new_from_data (G_VARIANT_TYPE_BYTESTRING, copy, length, TRUE, g_free, copy);
1930+
*variant = g_variant_ref_sink (g_variant_new_from_data (G_VARIANT_TYPE_BYTESTRING, copy, length, TRUE, g_free, copy));
19311931

19321932
return TRUE;
19331933
}
@@ -1973,12 +1973,13 @@ PyGObject_unmarshal_variant_from_mapping (PyObject * mapping, GVariant ** varian
19731973

19741974
g_variant_builder_add (&builder, "{sv}", PyBytes_AsString (key_bytes), raw_value);
19751975

1976+
g_variant_unref (raw_value);
19761977
Py_DecRef (key_bytes);
19771978
}
19781979

19791980
Py_DecRef (items);
19801981

1981-
*variant = g_variant_builder_end (&builder);
1982+
*variant = g_variant_ref_sink (g_variant_builder_end (&builder));
19821983

19831984
return TRUE;
19841985

@@ -2023,10 +2024,11 @@ PyGObject_unmarshal_variant_from_sequence (PyObject * sequence, GVariant ** vari
20232024
else
20242025
g_variant_builder_add (&builder, "v", raw_value);
20252026

2027+
g_variant_unref (raw_value);
20262028
Py_DecRef (val);
20272029
}
20282030

2029-
*variant = g_variant_builder_end (&builder);
2031+
*variant = g_variant_ref_sink (g_variant_builder_end (&builder));
20302032

20312033
return TRUE;
20322034

@@ -2926,7 +2928,7 @@ PyDevice_spawn (PyDevice * self, PyObject * args, PyObject * kw)
29262928
goto invalid_dict_value;
29272929
}
29282930

2929-
g_hash_table_insert (aux, raw_key, g_variant_ref_sink (raw_value));
2931+
g_hash_table_insert (aux, raw_key, raw_value);
29302932
}
29312933
}
29322934

0 commit comments

Comments
 (0)