After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 373092 - gtkhtml - off by one error when g_malloc'ing
gtkhtml - off by one error when g_malloc'ing
Status: RESOLVED FIXED
Product: GtkHtml
Classification: Other
Component: Printing
3.12.x
Other Linux
: High critical
: 2.8
Assigned To: gtkhtml-maintainers
Evolution QA team
: 354497 364990 (view as bug list)
Depends on:
Blocks:
 
 
Reported: 2006-11-09 19:16 UTC by John N. Laliberte
Modified: 2008-03-06 04:01 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
gtkhtml-3.12.1-off_by_one.patch (366 bytes, patch)
2006-11-09 19:16 UTC, John N. Laliberte 		committed Details | Review

Description John N. Laliberte 2006-11-09 19:16:10 UTC 
Here is a link to the bug filed with us (Gentoo), however it lacks gtkhtml symbols ( below you can find my traces with gtkhtml symbols ):
http://bugs.gentoo.org/153477

This problem was originally seen in evolution while using the memo's.

the problem is in src/gtkhtml-stream.c ( around line 106 ):

    len = strlen (result_string);
    g_free (result_string);

    if (len < 8192)
        buf = alloca (len);

    if (buf == NULL)
        buf = mbuf = g_malloc (len);

You can see that if the result_string has a '\0' on the end, the len will be one short ( because strlen doesn't count '\0' ).

This causes various crashes. A couple of the backtraces (truncated) are:
--backtrace 1

+ Trace 84824

  • #0 __kernel_vsyscall
  • #1 raise
    from /lib/libc.so.6
  • #2 abort
    from /lib/libc.so.6
  • #3 __fsetlocking
    from /lib/libc.so.6
  • #4 malloc_usable_size
    from /lib/libc.so.6
  • #5 free
    from /lib/libc.so.6
  • #6 IA__g_free
    at gmem.c line 187
  • #7 gtk_html_stream_vprintf
    at gtkhtml-stream.c line 111
  • #8 gtk_html_stream_printf
    at gtkhtml-stream.c line 124
  • #9 write_html
    at e-cal-component-memo-preview.c line 240
  • #10 e_cal_component_memo_preview_display
    at e-cal-component-memo-preview.c line 378
  • #6 IA__g_free
    at gmem.c line 187
  • #7 destroy
    at htmltext.c line 2268
  • #8 html_object_destroy
    at htmlobject.c line 1025
  • #9 destroy
    at htmlclue.c line 51
  • #10 destroy
    at htmlclueflow.c line 107
  • #11 html_object_destroy
    at htmlobject.c line 1025
  • #12 destroy
    at htmlclue.c line 51
  • #13 html_cluev_destroy
    at htmlcluev.c line 908
  • #14 html_object_destroy
    at htmlobject.c line 1025
  • #15 destroy
    at htmltable.c line 93
  • #16 html_object_destroy
    at htmlobject.c line 1025
  • #17 destroy
    at htmlclue.c line 51
  • #18 destroy
    at htmlclueflow.c line 107
  • #19 html_object_destroy
    at htmlobject.c line 1025
  • #20 destroy
    at htmlclue.c line 51
  • #21 html_cluev_destroy
    at htmlcluev.c line 908
  • #22 html_object_destroy
    at htmlobject.c line 1025
  • #23 html_engine_parse
    at htmlengine.c line 5006 



In valgrind, you can easily see this:
==11209== Invalid write of size 1
==11209==    at 0x4996DD2: vsprintf (in /lib/libc-2.5.so)
==11209==    by 0x4AA6173: gtk_html_stream_vprintf (gtkhtml-stream.c:108)
==11209==    by 0x4AA61DB: gtk_html_stream_printf (gtkhtml-stream.c:124)
==11209==    by 0x6B81ACE: write_html (e-cal-component-memo-preview.c:240)
==11209==    by 0x6B82369: e_cal_component_memo_preview_display (e-cal-component-memo-preview.c:378)
==11209==    by 0x6BD2EAC: table_cursor_change_cb (e-memos.c:156)
==11209==    by 0x48708DE: g_cclosure_marshal_VOID(i_xx_t) (gmarshal.c:216)
==11209==    by 0x4857926: g_closure_invoke (gclosure.c:490)
==11209==    by 0x486FA7F: signal_emit_unlocked_R (gsignal.c:2440)
==11209==    by 0x486EBE9: g_signal_emit_valist (gsignal.c:2199)
==11209==    by 0x486EEF4: g_signal_emit (gsignal.c:2243)
==11209==    by 0x4D99722: group_cursor_change (e-table.c:758)

==11209==  Address 0x78EDFCC is 0 bytes after a block of size 9,156 alloc'd
==11209==    at 0x40213FD: malloc (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==11209==    by 0x48C4ECC: g_malloc (gmem.c:131)
==11209==    by 0x4AA6151: gtk_html_stream_vprintf (gtkhtml-stream.c:106)
==11209==    by 0x4AA61DB: gtk_html_stream_printf (gtkhtml-stream.c:124)
==11209==    by 0x6B81ACE: write_html (e-cal-component-memo-preview.c:240)
==11209==    by 0x6B82369: e_cal_component_memo_preview_display (e-cal-component-memo-preview.c:378)
==11209==    by 0x6BD2EAC: table_cursor_change_cb (e-memos.c:156)
==11209==    by 0x48708DE: g_cclosure_marshal_VOID(i_xx_t) (gmarshal.c:216)
==11209==    by 0x4857926: g_closure_invoke (gclosure.c:490)
==11209==    by 0x486FA7F: signal_emit_unlocked_R (gsignal.c:2440)
==11209==    by 0x486EBE9: g_signal_emit_valist (gsignal.c:2199)
==11209==    by 0x486EEF4: g_signal_emit (gsignal.c:2243)

There are a bunch of bugs ( open/resolved/needinfo ) with similar backtraces ( assigned to evolution component mostly ) so you will probably want to dupe them here.

Attached is a patch, although you will probably want to make it more robust before committing.

Please contact me if you need any more information.
Comment 1 John N. Laliberte 2006-11-09 19:16:46 UTC 
Created attachment 76293 [details] [review]
gtkhtml-3.12.1-off_by_one.patch
Comment 2 André Klapper 2006-11-09 21:40:39 UTC 
good catch, confirming.
Comment 3 Kjartan Maraas 2006-11-21 18:43:03 UTC 
*** Bug 364990 has been marked as a duplicate of this bug. ***
Comment 4 Srinivasa Ragavan 2007-01-08 07:23:22 UTC 
Nice. Please commit.
Comment 5 Kjartan Maraas 2007-01-25 14:49:54 UTC 
I commited this on HEAD. Should it go on the stable branch as well?
Comment 6 Kjartan Maraas 2007-01-25 15:11:48 UTC 
*** Bug 354497 has been marked as a duplicate of this bug. ***
Comment 7 Kjartan Maraas 2007-01-29 10:02:12 UTC 
I put it in on the stable branch too now.
Comment 8 Suman Manjunath 2008-03-06 04:01:54 UTC 
Changing status of a 'committed' patch.