Bug 335203 – crash due to use-after-free during drag-and-drop

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 335203 - crash due to use-after-free during drag-and-drop


Summary:	crash due to use-after-free during drag-and-drop


Status:	RESOLVED FIXED

Product:	evolution
Classification:	Applications
Component:	Mailer
Version:	2.6.x (obsolete)
Hardware:	Other Linux

Importance:	Immediate blocker
Target Milestone:	---
Assigned To:	evolution-mail-maintainers
QA Contact:	Evolution QA team

URL:
Whiteboard:

Duplicates:	326123 334633 335075 335283 335770 (view as bug list)
Depends on:
Blocks:

Reported:	2006-03-20 10:15 UTC by Patrick Ohly
Modified:	2013-09-10 14:04 UTC

See Also:
GNOME target:	---
GNOME version:	---

Attachments
proposed patch to fix the premature memory free (862 bytes, patch) 2006-03-20 10:34 UTC, Patrick Ohly	committed	Details \| Review

Description Patrick Ohly 2006-03-20 10:15:52 UTC

In evolution/mail/em-utils.c the function
em_utils_selection_set_urilist() uses the tmpfile
variable in a call to g_filename_to_uri()
after it has been freed a few lines earlier.

I checked, the current revision 1.77 of that file
still contains the bug.

I found it while working with Evolution 2.6 as compiled
with Garnome 2.14.0. I'm not sure exactly what I did to
trigger it, though, and considering the random nature
of such memory handling would be hard to find out anyway.

Comment 1 Patrick Ohly 2006-03-20 10:34:53 UTC

Created attachment 61603 [details] [review]
proposed patch to fix the premature memory free

Comment 2 Karsten Bräckelmann 2006-03-20 15:30:40 UTC

Thanks Patrick. For spotting the bug, providing a patch and using GARNOME. :-)

Hmm, not sure about blocker.

Anyway, Immediate Priority, Target Milestone 2.6.
This needs to be looked into ASAP.

Comment 3 Patrick Ohly 2006-03-20 15:44:31 UTC

> Hmm, not sure about blocker.

Well, I suppose that depends on your release criteria. I'm pretty
sure it has caused some of the crashes that I encountered.

Comment 4 Karsten Bräckelmann 2006-03-20 16:07:43 UTC

Patrick, don't get me wrong. I just mentioned, I am not sure about the Severity. I did not say, it is not. ;)

In fact, please note -- I even raised the Priority and set a Target Mailestone, thus raising visibility for the developers. This sure needs to be looked into and fixed ASAP.

Comment 5 Veerapuram Varadhan 2006-03-20 16:26:30 UTC

Patch looks good to commit to both HEAD and gnome-2.14 stable branch.

Comment 6 André Klapper 2006-03-22 12:01:19 UTC

patch committed both to 2.6 (gnome-2-14) branch and to cvs head:

http://cvs.gnome.org/viewcvs/evolution/mail/em-utils.c?r1=1.79&r2=1.80
http://cvs.gnome.org/viewcvs/evolution/mail/em-utils.c?r1=1.78.2.1&r2=1.78.2.2

thanks a lot.

Comment 7 André Klapper 2006-03-22 12:08:00 UTC

*** Bug 326123 has been marked as a duplicate of this bug. ***

Comment 8 André Klapper 2006-03-22 12:11:34 UTC

*** Bug 335075 has been marked as a duplicate of this bug. ***

Comment 9 André Klapper 2006-03-22 12:11:43 UTC

*** Bug 335283 has been marked as a duplicate of this bug. ***

Comment 10 André Klapper 2006-03-24 20:41:40 UTC

*** Bug 335770 has been marked as a duplicate of this bug. ***

Comment 11 Kandepu Prasad 2008-08-07 09:23:02 UTC

*** Bug 334633 has been marked as a duplicate of this bug. ***