Bug#990911: liferea: Segfaults when selecting a news bin

Sat, 10 Jul 2021 16:45:15 -0700 

Package: liferea
Version: 1.13.5-1
Severity: important
Tags: upstream, fixed-upstream, patch

liferea 1.13.5 will immediately segfault when selecting a news bin in
the left pane.  (And if a news bin was the last selected item before
upgrading, it will then automatically crash on startup.  I'd argue this
would justify a bump to serious; you be the judge.)

The bug is in feed_add_xml_attributes(), where node->subscription gets
dereferenced at the end, even if it was found to be NULL beforehand.

This was fixed upstream in 49cf235, by moving the last three lines
inside the if(), where they belong.  That patch does not apply cleanly
to 1.13.5 (due to 9db267f), so I'm attaching a revised version.


-- System Information:
Debian Release: 11.0
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 
'testing-debug'), (100, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-5-amd64 (SMP w/4 CPU threads)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

>From dd9ede21cd822989e9fafecadefb4fc410a7c0e7 Mon Sep 17 00:00:00 2001
From: Lars Windolf <lars.wind...@gmx.de>
Date: Fri, 2 Apr 2021 01:22:24 +0200
Subject: [PATCH] Fix crash on selecting news bins

---
 src/feed.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/src/feed.c b/src/feed.c
index 585ed82a..97848f9f 100644
--- a/src/feed.c
+++ b/src/feed.c
@@ -165,9 +165,14 @@ feed_add_xml_attributes (nodePtr node, xmlNodePtr feedNode)
        xmlNewTextChild (feedNode, NULL, "feedId", node_get_id (node));
        xmlNewTextChild (feedNode, NULL, "feedTitle", node_get_title (node));
 
-       if (node->subscription)
+       if (node->subscription) {
                subscription_to_xml (node->subscription, feedNode);
 
+               tmp = g_strdup_printf("%d", node->subscription->error);
+               xmlNewTextChild(feedNode, NULL, "error", tmp);
+               g_free(tmp);
+       }
+
        tmp = g_strdup_printf("%d", node->available?1:0);
        xmlNewTextChild(feedNode, NULL, "feedStatus", tmp);
        g_free(tmp);
@@ -178,10 +183,6 @@ feed_add_xml_attributes (nodePtr node, xmlNodePtr feedNode)
 
        if(feed->parseErrors && (strlen(feed->parseErrors->str) > 0))
                xmlNewTextChild(feedNode, NULL, "parseError", 
feed->parseErrors->str);
-
-       tmp = g_strdup_printf("%d", node->subscription->error);
-       xmlNewTextChild(feedNode, NULL, "error", tmp);
-       g_free(tmp);
 }
 
 xmlDocPtr
-- 
2.30.2

Reply via email to