GNOME Bugzilla – Bug 576439
nautilus crash because of probable double g_free in brasero_medium_get_css_feature
Last modified: 2009-03-24 10:29:28 UTC
Steps to reproduce: I am very bad at c. Please take my analyse with precautions. I think there is a double g_free in brasero_medium_get_css_feature: static BraseroBurnResult brasero_medium_get_css_feature (BraseroMedium *self, BraseroDeviceHandle *handle, BraseroScsiErrCode *code) { BraseroScsiGetConfigHdr *hdr = NULL; BraseroMediumPrivate *priv; BraseroScsiResult result; int size; priv = BRASERO_MEDIUM_PRIVATE (self); BRASERO_MEDIA_LOG ("Testing for Css encrypted media"); result = brasero_mmc2_get_configuration_feature (handle, BRASERO_SCSI_FEAT_DVD_CSS, &hdr, &size, code); When calling brasero_mmc2_get_configuration_feature, hdr is null. In brasero_mmc2_get_configuration_feature, hdr is *data After initializing *data: if ((*data) && BRASERO_GET_16 ((*data)->desc->code) != type) { BRASERO_MEDIA_LOG ("Wrong type returned %d", (*data)->desc->code); BRASERO_SCSI_SET_ERRCODE (error, BRASERO_SCSI_TYPE_MISMATCH); g_free (*data); *size = 0; return BRASERO_SCSI_FAILURE; } *data is g_free And then, the function returns BRASERO_SCSI_FAILURE. Back in brasero_medium_get_css_feature: if (result != BRASERO_SCSI_OK) { g_free (hdr); Whereas hdr was alread "g_free"-ed. When I remove the line, nautilus does not crash anymore. A simple patch could be the following one: diff --git a/libbrasero-media/brasero-medium.c b/libbrasero-media/brasero-medium.c index 107c5b9..9e81641 100644 --- a/libbrasero-media/brasero-medium.c +++ b/libbrasero-media/brasero-medium.c @@ -2554,8 +2554,6 @@ brasero_medium_get_css_feature (BraseroMedium *self, &size, code); if (result != BRASERO_SCSI_OK) { - g_free (hdr); - BRASERO_MEDIA_LOG ("GET CONFIGURATION failed"); return BRASERO_BURN_ERR; } Stack trace: $ nautilus Initializing nautilus-share extension *** glibc detected *** nautilus: double free or corruption (fasttop): 0x095f2580 *** ======= Backtrace: ========= /lib/tls/i686/cmov/libc.so.6[0xb74f1604] /lib/tls/i686/cmov/libc.so.6(cfree+0x96)[0xb74f35b6] /usr/lib/libglib-2.0.so.0(g_free+0x36)[0xb7981ff6] /usr/local/lib/libbrasero-media.so.0[0xb51ad6b8] /usr/local/lib/libbrasero-media.so.0[0xb51adaee] /usr/lib/libglib-2.0.so.0[0xb79a466f] /lib/tls/i686/cmov/libpthread.so.0[0xb75ec4ff] /lib/tls/i686/cmov/libc.so.6(clone+0x5e)[0xb756649e] ======= Memory map: ======== 08048000-081d8000 r-xp 00000000 08:01 228999 /usr/bin/nautilus 081d8000-081da000 r--p 0018f000 08:01 228999 /usr/bin/nautilus 081da000-081dd000 rw-p 00191000 08:01 228999 /usr/bin/nautilus 081dd000-081de000 rw-p 081dd000 00:00 0 09497000-09949000 rw-p 09497000 00:00 0 [heap] b4400000-b4421000 rw-p b4400000 00:00 0 b4421000-b4500000 ---p b4421000 00:00 0 b45f5000-b45f6000 ---p b45f5000 00:00 0 b45f6000-b4df6000 rw-p b45f6000 00:00 0 b4df6000-b519b000 r--p 00000000 08:01 425290 /usr/share/icons/hicolor/icon-theme.cache b519b000-b51ba000 r-xp 00000000 08:01 311484 /usr/local/lib/libbrasero-media.so.0.1.1 b51ba000-b51bb000 r--p 0001e000 08:01 311484 /usr/local/lib/libbrasero-media.so.0.1.1 b51bb000-b51bc000 rw-p 0001f000 08:01 311484 /usr/local/lib/libbrasero-media.so.0.1.1 b51d0000-b51e5000 r-xp 00000000 08:01 229046 /usr/lib/libevdocument.so.1.0.0 b51e5000-b51e6000 ---p 00015000 08:01 229046 /usr/lib/libevdocument.so.1.0.0 b51e6000-b51e7000 r--p 00015000 08:01 229046 /usr/lib/libevdocument.so.1.0.0 b51e7000-b51e8000 rw-p 00016000 08:01 229046 /usr/lib/libevdocument.so.1.0.0 b51f5000-b51fa000 r-xp 00000000 08:01 278783 /usr/lib/nautilus/extensions-2.0/libnautilus-brasero-extension.so b51fa000-b51fb000 r--p 00004000 08:01 278783 /usr/lib/nautilus/extensions-2.0/libnautilus-brasero-extension.so b51fb000-b51fc000 rw-p 00005000 08:01 278783 /usr/lib/nautilus/extensions-2.0/libnautilus-brasero-extension.so b51fc000-b51fe000 r-xp 00000000 08:01 392519 /lib/libkeyutils-1.2.so b51fe000-b51ff000 r--p 00001000 08:01 392519 /lib/libkeyutils-1.2.so b51ff000-b5200000 rw-p 00002000 08:01 392519 /lib/libkeyutils-1.2.so b5200000-b5207000 r-xp 00000000 08:01 231116 /usr/lib/libkrb5support.so.0.1 b5207000-b5208000 r--p 00006000 08:01 231116 /usr/lib/libkrb5support.so.0.1 b5208000-b5209000 rw-p 00007000 08:01 231116 /usr/lib/libkrb5support.so.0.1 b5209000-b5232000 r-xp 00000000 08:01 230963 /usr/lib/libgssapi_krb5.so.2.2 b5232000-b5233000 r--p 00028000 08:01 230963 /usr/lib/libgssapi_krb5.so.2.2 b5233000-b5234000 rw-p 00029000 08:01 230963 /usr/lib/libgssapi_krb5.so.2.2 b5234000-b5236000 r-xp 00000000 08:01 392496 /lib/libcom_err.so.2.1 b5236000-b5237000 r--p 00001000 08:01 392496 /lib/libcom_err.so.2.1 b5237000-b5238000 rw-p 00002000 08:01 392496 /lib/libcom_err.so.2.1 b5238000-b525a000 r-xp 00000000 08:01 231108 /usr/lib/libk5crypto.so.3.1 b525a000-b525b000 r--p 00022000 08:01 231108 /usr/lib/libk5crypto.so.3.1 b525b000-b525c000 rw-p 00023000 08:01 231108 /usr/lib/libk5crypto.so.3.1 b525c000-b52eb000 r-xp 00000000 08:01 231114 /usr/lib/libkrb5.so.3.3 b52eb000-b52ed000 r--p 0008e000 08:01 231114 /usr/lib/libkrb5.so.3.3 b52ed000-b52ee000 rw-p 00090000 08:01 231114 /usr/lib/libkrb5.so.3.3 b52ee000-b5320000 r-xp 00000000 08:01 231202 /usr/lib/libnspr4.so b5320000-b5321000 r--p 00031000 08:01 231202 /usr/lib/libnspr4.so b5321000-b5322000 rw-p 00032000 08:01 231202 /usr/lib/libnspr4.so b5322000-b5324000 rw-p b5322000 00:00 0 b5324000-b5327000 r-xp 00000000 08:01 231267 /usr/lib/libplc4.so b5327000-b5328000 r--p 00002000 08:01 231267 /usr/lib/libplc4.so b5328000-b5329000 rw-p 00003000 08:01 231267 /usr/lib/libplc4.so b5329000-b532b000 r-xp 00000000 08:01 231269 /usr/lib/libplds4.so b532b000-b532c000 r--p 00001000 08:01 231269 /usr/lib/libplds4.so b532c000-b532d000 rw-p 00002000 08:01 231269 /usr/lib/Aborted (core dumped) Other information: See https://bugs.launchpad.net/ubuntu/+source/brasero/+bug/339993 for more trace
there is quite some duplicates of this bug on launchpad, that makes nautilus being restarted quickly by gnome-session and is quite confusing for users
Thanks a lot for your analysis and your patch. For someone who said that he isn't good at C, you seem to have a bright future =). That will be fixed for next release. I used your patch which is good but I fixed brasero_mmc2_get_configuration_feature () as well since it shouldn't change the value of data if it returns an error. Now it should work in trunk.
"I fixed brasero_mmc2_get_configuration_feature () as well since it shouldn't change the value of data if it returns an error." -> very clean design. I tested the version on branch gnome-2-26 and I can confirm that the bug is fixed. Thank you for the quick fixing!