After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 393312 - libsmooth.so corrupts memory
libsmooth.so corrupts memory
Status: RESOLVED FIXED
Product: gtk-engines
Classification: Deprecated
Component: smooth
2.8.x
Other Linux
: Normal major
: ---
Assigned To: gtk-engines maintainers
gtk-engines maintainers
: 410667 (view as bug list)
Depends on:
Blocks:
 
 
Reported: 2007-01-05 23:02 UTC by Colin Leroy
Modified: 2007-02-22 14:20 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
gtkrc file triggering the crash (6.25 KB, text/plain)
2007-01-05 23:04 UTC, Colin Leroy 		  Details
valgrind log (2.21 KB, text/plain)
2007-01-05 23:04 UTC, Colin Leroy 		  Details
fix patch, probably wrong (814 bytes, patch)
2007-01-05 23:05 UTC, Colin Leroy 		rejected Details | Review
Patch to fix this (2.62 KB, patch)
2007-01-14 13:24 UTC, Benjamin Berg 		committed Details | Review

Description Colin Leroy 2007-01-05 23:02:42 UTC 
Hi, under some circumstances, libsmooth corrupts memory. With help from users, I managed to get a reproduceable test case.

a) get Claws-Mail (or Sylpheed-Claws)
b) get the to-be-attached gtkrc-smooth-crash file and include it in ~/.gtkrc-2.0 (this file is shipped as /usr/share/themes/Glider/gtk-2.0/gtkrc from the gnome-themes package version 2.14.3 (this file is different in 2.16.1 and doesn't trigger the crash)
c) run claws-mail, crash ensue.

I'll attach a excerpt from the valgrind report, the gtkrc-smooth-crash gtkrc file and a test patch, which I'm sure is broken, but at least silences valgrind.
Comment 1 Colin Leroy 2007-01-05 23:04:01 UTC 
Created attachment 79487 [details]
gtkrc file triggering the crash
Comment 2 Colin Leroy 2007-01-05 23:04:36 UTC 
Created attachment 79488 [details]
valgrind log
Comment 3 Colin Leroy 2007-01-05 23:05:40 UTC 
Created attachment 79489 [details] [review]
fix patch, probably wrong
Comment 5 Benjamin Berg 2007-01-07 13:42:34 UTC 
Hm, looks like this is caused by the leakfix I did a few months ago part of the following commit. This commit added the g_free which is causing a double free somehow.
I wonder why the pointer is not NULL if the data has been freed earlier.

2006-11-10  Benjamin Berg  <benjamin@sipsolutions.net>

	* engines/clearlooks/src/clearlooks_style.c:
	(clearlooks_style_draw_flat_box):
	- possible crash bug

	* engines/smooth/src/engine/shared/gtk/smooth_gtk_rc.c:
	(smooth_arrow_merge):
	- fix a leak that happend when rc styles were merged
Comment 6 Benjamin Berg 2007-01-07 15:50:45 UTC 
I think the memcpy is the problem. It does not only copy all the options, but also the pointer to the arrow. As the arrow does not have any refcounting or similar, we need to create a new one and copy its data seperatly.
Comment 7 Colin Leroy 2007-01-07 18:22:07 UTC 
Benjamin: That's what I thought too, but got lost trying to fix it correctly. Two things are dangerous in that function imho:

-g_free()ing a struct member and not setting it to NULL afterwards
-memcpy()ing a struct that contains pointers to dynamically allocated stuff
Comment 8 Benjamin Berg 2007-01-14 13:24:16 UTC 
Created attachment 80233 [details] [review]
Patch to fix this

This patch seems to fix things up.
Comment 9 Colin Leroy 2007-01-17 20:28:37 UTC 
Benjamin,

I confirm that your patch in Comment #8 fixes the crash for me.
Comment 10 Benjamin Berg 2007-01-17 20:57:37 UTC 
Thanks for testing it. I commited the patch to both 2-8 and HEAD.
Comment 11 Will Keaney 2007-02-22 14:20:52 UTC 
*** Bug 410667 has been marked as a duplicate of this bug. ***