After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 328390 - gconf_unescape_key causes a segmentation fault
gconf_unescape_key causes a segmentation fault
Status: RESOLVED FIXED
Product: GConf
Classification: Deprecated
Component: gconf
2.12.x
Other All
: Normal critical
: ---
Assigned To: GConf Maintainers
GConf Maintainers
Depends on:
Blocks:
 
 
Reported: 2006-01-24 08:19 UTC by Lachlan Pease
Modified: 2006-01-24 08:50 UTC
See Also:
GNOME target: ---
GNOME version: 2.11/2.12

Attachments
Patch to fix gconf_unescape_key() (458 bytes, patch)
2006-01-24 08:21 UTC, Lachlan Pease 		none Details | Review

Description Lachlan Pease 2006-01-24 08:19:48 UTC 
Steps to reproduce:
1. Include the line "printf( "%s\n", gconf_unescape_key(
"MKIS@32@Library/timestamp", -1 ) );" in a program.
2. Run the program.
3. Watch it segfault


Stack trace:
(gdb) run
Starting program: /usr/bin/nm-applet
[Thread debugging using libthread_db enabled]
[New Thread -1224325440 (LWP 19442)]

Program received signal SIGSEGV, Segmentation fault.

+ Trace 65547

Thread NaN (LWP 19442)

  • #0 gconf_unescape_key
    at gconf.c line 2747
  • #1 nmwa_gconf_info_notify_callback
    at applet.c line 2239
  • #2 notify_listeners_callback
    at gconf-client.c line 2368
  • #3 gconf_listeners_notify
    at gconf-listeners.c line 588
  • #4 notify_one_entry
    at gconf-client.c line 2393
  • #5 notify_idle_callback
    at gconf-client.c line 2433
  • #6 g_child_watch_add
    from /usr/lib/libglib-2.0.so.0
  • #7 g_main_context_dispatch
    from /usr/lib/libglib-2.0.so.0
  • #8 g_main_context_acquire
    from /usr/lib/libglib-2.0.so.0
  • #9 g_main_loop_run
    from /usr/lib/libglib-2.0.so.0
  • #10 gtk_main
    from /usr/lib/libgtk-x11-2.0.so.0 


Other information:
The problem is caused by the function gconf_unescape_key in gconf/gconf.c
calling strtoul with the second parameter as &end, rather than &p. This moves p
past end, quickly ending in a segfault.

Patch to fix this (it's a one-liner) will be attached.
Comment 1 Lachlan Pease 2006-01-24 08:21:23 UTC 
Created attachment 57993 [details] [review]
Patch to fix gconf_unescape_key()
Comment 2 Crispin Flowerday (not receiving bugmail) 2006-01-24 08:50:16 UTC 
This crash has already been fixed in CVS:

2005-12-08  Dan Williams  <dcbw@redhat.com>

        * gconf/gconf.c: (gconf_unescape_string): Don't stomp on
          the function-level scoped 'end' from deep in the function.
          Fixes a segfault.