CVE-2022-37290: null pointer error in get_basename() which leads to crash when paste a zip format file in ubuntu 22.04 (#2376) · Issues · GNOME / Files · GitLab

Affected version

• Nightly flatpak: Can’t test it because i can’t download Nightly version.
• Other:1:42.2 SwitchyOmega.zip

Steps to reproduce

1. install ubuntu 22.04 in vmware pro 16.2.4 build-20089737.
2. install flatpak environment，download nautilus 1:42.2.
3. use Builder build it, and run it with Valgrind, the nautilus window will open.
4. outside vmware, copy the attachment file.
5. in vmware, in the opened nautilus window, paste it.
6. nautilus crashes then.

Current behavior

it just crashed.

Expected behavior

the zip file is pasted successfully.

Additional information

1. the Valgrind information:

• ==2== Memcheck, a memory error detector
• ==2== Copyright © 2002-2022, and GNU GPL’d, by Julian Seward et al.
• ==2== Using Valgrind-3.19.0 and LibVEX; rerun with -h for copyright info
• ==2== Command: nautilus
• ==2==
• ==2== Thread 10 pool-org.gnome.:
• ==2== Invalid read of size 1
• ==2== at 0x48F9670: g_utf8_validate (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7302.0)
• ==2== by 0x16EAE8: get_basename (nautilus-file-operations.c:1024)
• ==2== by 0x173EE2: scan_file (nautilus-file-operations.c:3634)
• ==2== by 0x1741BD: scan_sources (nautilus-file-operations.c:3715)
• ==2== by 0x178AA4: nautilus_file_operations_copy (nautilus-file-operations.c:6064)
• ==2== by 0x554E095: ??? (in /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0.7302.0)
• ==2== by 0x48EE461: ??? (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7302.0)
• ==2== by 0x48ED9C8: ??? (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7302.0)
• ==2== by 0x5A711D9: ??? (in /usr/lib/x86_64-linux-gnu/libc.so.6)
• ==2== by 0x5AF9D83: clone (in /usr/lib/x86_64-linux-gnu/libc.so.6)
• ==2== Address 0x0 is not stack’d, malloc’d or (recently) free’d
• ==2==
• ==2==
• ==2== Process terminating with default action of signal 11 (SIGSEGV)
• ==2== Access not within mapped region at address 0x0
• ==2== at 0x48F9670: g_utf8_validate (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7302.0)
• ==2== by 0x16EAE8: get_basename (nautilus-file-operations.c:1024)
• ==2== by 0x173EE2: scan_file (nautilus-file-operations.c:3634)
• ==2== by 0x1741BD: scan_sources (nautilus-file-operations.c:3715)
• ==2== by 0x178AA4: nautilus_file_operations_copy (nautilus-file-operations.c:6064)
• ==2== by 0x554E095: ??? (in /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0.7302.0)
• ==2== by 0x48EE461: ??? (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7302.0)
• ==2== by 0x48ED9C8: ??? (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7302.0)
• ==2== by 0x5A711D9: ??? (in /usr/lib/x86_64-linux-gnu/libc.so.6)
• ==2== by 0x5AF9D83: clone (in /usr/lib/x86_64-linux-gnu/libc.so.6)
• ==2== If you believe this happened as a result of a stack
• ==2== overflow in your program’s main thread (unlikely but
• ==2== possible), you can try to increase the size of the
• ==2== main thread stack using the --main-stacksize= flag.
• ==2== The main thread stack size used in this run was 8388608.
• ==2==
• ==2== HEAP SUMMARY:
• ==2== in use at exit: 11,518,984 bytes in 109,964 blocks
• ==2== total heap usage: 968,922 allocs, 858,958 frees, 127,795,237 bytes allocated
• ==2==
• ==2== LEAK SUMMARY:
• ==2== definitely lost: 21,413 bytes in 16 blocks
• ==2== indirectly lost: 269,366 bytes in 1,220 blocks
• ==2== possibly lost: 103,840 bytes in 2,298 blocks
• ==2== still reachable: 9,166,389 bytes in 93,765 blocks
• ==2== of which reachable via heuristic:
• ==2== newarray : 4,264 bytes in 1 blocks
• ==2== suppressed: 0 bytes in 0 blocks
• ==2== Rerun with --leak-check=full to see details of leaked memory
• ==2==
• ==2== For lists of detected and suppressed errors, rerun with: -s
• ==2== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)

1. backtrace information

• the crash happened in g_utf8_validate() function, despite this function is provide by libglib2.0, but I think the crash is caused by the function get_basename(), because it passed a null pointer “basename” to g_utf8_validate().

1. where the crash happened

1. “basename” leads to the crash