After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 576439 - nautilus crash because of probable double g_free in brasero_medium_get_css_feature
nautilus crash because of probable double g_free in brasero_medium_get_css_fe...
Status: VERIFIED FIXED
Product: brasero
Classification: Applications
Component: libbrasero-media
2.26.0
Other Linux
: Normal critical
: 2.26
Assigned To: Brasero maintainer(s)
Brasero maintainer(s)
Depends on:
Blocks:
 
 
Reported: 2009-03-23 16:26 UTC by Yann
Modified: 2009-03-24 10:29 UTC
See Also:
GNOME target: ---
GNOME version: 2.25/2.26



Description Yann 2009-03-23 16:26:45 UTC
Steps to reproduce:
I am very bad at c. Please take my analyse with precautions.

I think there is a double g_free in brasero_medium_get_css_feature:

static BraseroBurnResult
brasero_medium_get_css_feature (BraseroMedium *self,
				BraseroDeviceHandle *handle,
				BraseroScsiErrCode *code)
{
	BraseroScsiGetConfigHdr *hdr = NULL;
	BraseroMediumPrivate *priv;
	BraseroScsiResult result;
	int size;

	priv = BRASERO_MEDIUM_PRIVATE (self);

	BRASERO_MEDIA_LOG ("Testing for Css encrypted media");
	result = brasero_mmc2_get_configuration_feature (handle,
							 BRASERO_SCSI_FEAT_DVD_CSS,
							 &hdr,
							 &size,
							 code);

When calling brasero_mmc2_get_configuration_feature, hdr is null.
In brasero_mmc2_get_configuration_feature, hdr is *data
After initializing *data:

	if ((*data) && BRASERO_GET_16 ((*data)->desc->code) != type) {
		BRASERO_MEDIA_LOG ("Wrong type returned %d", (*data)->desc->code);
		BRASERO_SCSI_SET_ERRCODE (error, BRASERO_SCSI_TYPE_MISMATCH);

		g_free (*data);
		*size = 0;
		return BRASERO_SCSI_FAILURE;
	}

*data is g_free
And then, the function returns BRASERO_SCSI_FAILURE.

Back in brasero_medium_get_css_feature:
        if (result != BRASERO_SCSI_OK) {
              g_free (hdr);

Whereas hdr was alread "g_free"-ed.

When I remove the line, nautilus does not crash anymore.

A simple patch could be the following one:
diff --git a/libbrasero-media/brasero-medium.c b/libbrasero-media/brasero-medium.c
index 107c5b9..9e81641 100644
--- a/libbrasero-media/brasero-medium.c
+++ b/libbrasero-media/brasero-medium.c
@@ -2554,8 +2554,6 @@ brasero_medium_get_css_feature (BraseroMedium *self,
                                                         &size,
                                                         code);
        if (result != BRASERO_SCSI_OK) {
-               g_free (hdr);
-
                BRASERO_MEDIA_LOG ("GET CONFIGURATION failed");
                return BRASERO_BURN_ERR;
        }


Stack trace:
$ nautilus
Initializing nautilus-share extension
*** glibc detected *** nautilus: double free or corruption (fasttop): 0x095f2580 ***
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6[0xb74f1604]
/lib/tls/i686/cmov/libc.so.6(cfree+0x96)[0xb74f35b6]
/usr/lib/libglib-2.0.so.0(g_free+0x36)[0xb7981ff6]
/usr/local/lib/libbrasero-media.so.0[0xb51ad6b8]
/usr/local/lib/libbrasero-media.so.0[0xb51adaee]
/usr/lib/libglib-2.0.so.0[0xb79a466f]
/lib/tls/i686/cmov/libpthread.so.0[0xb75ec4ff]
/lib/tls/i686/cmov/libc.so.6(clone+0x5e)[0xb756649e]
======= Memory map: ========
08048000-081d8000 r-xp 00000000 08:01 228999     /usr/bin/nautilus
081d8000-081da000 r--p 0018f000 08:01 228999     /usr/bin/nautilus
081da000-081dd000 rw-p 00191000 08:01 228999     /usr/bin/nautilus
081dd000-081de000 rw-p 081dd000 00:00 0 
09497000-09949000 rw-p 09497000 00:00 0          [heap]
b4400000-b4421000 rw-p b4400000 00:00 0 
b4421000-b4500000 ---p b4421000 00:00 0 
b45f5000-b45f6000 ---p b45f5000 00:00 0 
b45f6000-b4df6000 rw-p b45f6000 00:00 0 
b4df6000-b519b000 r--p 00000000 08:01 425290     /usr/share/icons/hicolor/icon-theme.cache
b519b000-b51ba000 r-xp 00000000 08:01 311484     /usr/local/lib/libbrasero-media.so.0.1.1
b51ba000-b51bb000 r--p 0001e000 08:01 311484     /usr/local/lib/libbrasero-media.so.0.1.1
b51bb000-b51bc000 rw-p 0001f000 08:01 311484     /usr/local/lib/libbrasero-media.so.0.1.1
b51d0000-b51e5000 r-xp 00000000 08:01 229046     /usr/lib/libevdocument.so.1.0.0
b51e5000-b51e6000 ---p 00015000 08:01 229046     /usr/lib/libevdocument.so.1.0.0
b51e6000-b51e7000 r--p 00015000 08:01 229046     /usr/lib/libevdocument.so.1.0.0
b51e7000-b51e8000 rw-p 00016000 08:01 229046     /usr/lib/libevdocument.so.1.0.0
b51f5000-b51fa000 r-xp 00000000 08:01 278783     /usr/lib/nautilus/extensions-2.0/libnautilus-brasero-extension.so
b51fa000-b51fb000 r--p 00004000 08:01 278783     /usr/lib/nautilus/extensions-2.0/libnautilus-brasero-extension.so
b51fb000-b51fc000 rw-p 00005000 08:01 278783     /usr/lib/nautilus/extensions-2.0/libnautilus-brasero-extension.so
b51fc000-b51fe000 r-xp 00000000 08:01 392519     /lib/libkeyutils-1.2.so
b51fe000-b51ff000 r--p 00001000 08:01 392519     /lib/libkeyutils-1.2.so
b51ff000-b5200000 rw-p 00002000 08:01 392519     /lib/libkeyutils-1.2.so
b5200000-b5207000 r-xp 00000000 08:01 231116     /usr/lib/libkrb5support.so.0.1
b5207000-b5208000 r--p 00006000 08:01 231116     /usr/lib/libkrb5support.so.0.1
b5208000-b5209000 rw-p 00007000 08:01 231116     /usr/lib/libkrb5support.so.0.1
b5209000-b5232000 r-xp 00000000 08:01 230963     /usr/lib/libgssapi_krb5.so.2.2
b5232000-b5233000 r--p 00028000 08:01 230963     /usr/lib/libgssapi_krb5.so.2.2
b5233000-b5234000 rw-p 00029000 08:01 230963     /usr/lib/libgssapi_krb5.so.2.2
b5234000-b5236000 r-xp 00000000 08:01 392496     /lib/libcom_err.so.2.1
b5236000-b5237000 r--p 00001000 08:01 392496     /lib/libcom_err.so.2.1
b5237000-b5238000 rw-p 00002000 08:01 392496     /lib/libcom_err.so.2.1
b5238000-b525a000 r-xp 00000000 08:01 231108     /usr/lib/libk5crypto.so.3.1
b525a000-b525b000 r--p 00022000 08:01 231108     /usr/lib/libk5crypto.so.3.1
b525b000-b525c000 rw-p 00023000 08:01 231108     /usr/lib/libk5crypto.so.3.1
b525c000-b52eb000 r-xp 00000000 08:01 231114     /usr/lib/libkrb5.so.3.3
b52eb000-b52ed000 r--p 0008e000 08:01 231114     /usr/lib/libkrb5.so.3.3
b52ed000-b52ee000 rw-p 00090000 08:01 231114     /usr/lib/libkrb5.so.3.3
b52ee000-b5320000 r-xp 00000000 08:01 231202     /usr/lib/libnspr4.so
b5320000-b5321000 r--p 00031000 08:01 231202     /usr/lib/libnspr4.so
b5321000-b5322000 rw-p 00032000 08:01 231202     /usr/lib/libnspr4.so
b5322000-b5324000 rw-p b5322000 00:00 0 
b5324000-b5327000 r-xp 00000000 08:01 231267     /usr/lib/libplc4.so
b5327000-b5328000 r--p 00002000 08:01 231267     /usr/lib/libplc4.so
b5328000-b5329000 rw-p 00003000 08:01 231267     /usr/lib/libplc4.so
b5329000-b532b000 r-xp 00000000 08:01 231269     /usr/lib/libplds4.so
b532b000-b532c000 r--p 00001000 08:01 231269     /usr/lib/libplds4.so
b532c000-b532d000 rw-p 00002000 08:01 231269     /usr/lib/Aborted (core dumped)


Other information:
See https://bugs.launchpad.net/ubuntu/+source/brasero/+bug/339993 for more trace
Comment 1 Sebastien Bacher 2009-03-23 18:15:24 UTC
there is quite some duplicates of this bug on launchpad, that makes nautilus being restarted quickly by gnome-session and is quite confusing for users
Comment 2 Philippe Rouquier 2009-03-23 19:50:07 UTC
Thanks a lot for your analysis and your patch. For someone who said that he isn't good at C, you seem to have a bright future =).
That will be fixed for next release.
I used your patch which is good but I fixed brasero_mmc2_get_configuration_feature () as well since it shouldn't change the value of data if it returns an error. Now it should work in trunk.
Comment 3 Yann 2009-03-24 10:28:37 UTC
"I fixed brasero_mmc2_get_configuration_feature () as well since it shouldn't change the value of data if it returns an error."
-> very clean design.

I tested the version on branch gnome-2-26 and I can confirm that the bug is fixed.

Thank you for the quick fixing!