After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 677736 - [PATCH] fix use-after-free in get_file_content_as_base64()
[PATCH] fix use-after-free in get_file_content_as_base64()
Status: RESOLVED FIXED
Product: epiphany
Classification: Core
Component: Backend
unspecified
Other Linux
: Normal normal
: ---
Assigned To: Xan Lopez
Epiphany Maintainers
Depends on:
Blocks:
 
 
Reported: 2012-06-08 22:19 UTC by Dan Williams
Modified: 2012-06-11 09:23 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
Fix use-after-free in get_file_content_as_base64() (3.00 KB, patch)
2012-06-08 22:19 UTC, Dan Williams 		committed Details | Review

Description Dan Williams 2012-06-08 22:19:07 UTC 
Created attachment 216006 [details] [review]
Fix use-after-free in get_file_content_as_base64()

Fixes a segfault on a Via Esther 32-bit system I have after mistyping a URL.  Odd that this would trigger now instead of earlier, since the affected code is from 2009.  Valgrind trace:

==1916== Invalid read of size 1
==1916==    at 0x38CBA7B328: _IO_default_xsputn (in /lib64/libc-2.14.90.so)
==1916==    by 0x38CBA4B3A7: vfprintf (in /lib64/libc-2.14.90.so)
==1916==    by 0x38CBB084B0: __vasprintf_chk (in /lib64/libc-2.14.90.so)
==1916==    by 0x38CDA8A44A: g_vasprintf (stdio2.h:199)
==1916==    by 0x38CDA69B0C: g_strdup_vprintf (gstrfuncs.c:509)
==1916==    by 0x38CDA69BAB: g_strdup_printf (gstrfuncs.c:535)
==1916==    by 0x47EA57: ephy_web_view_load_error_page (ephy-web-view.c:1978)
==1916==    by 0x47F6B2: load_error_cb (ephy-web-view.c:2119)
==1916==    by 0x38E8E7753F: webkit_marshal_BOOLEAN__OBJECT_STRING_POINTER (in /usr/lib64/libwebkitgtk-3.0.so.0.11.0)
==1916==    by 0x38CEA11381: g_closure_invoke (gclosure.c:777)
==1916==    by 0x38CEA23132: signal_emit_unlocked_R (gsignal.c:3547)
==1916==    by 0x38CEA2AEE1: g_signal_emit_valist (gsignal.c:3306)
==1916==  Address 0x4f02040 is 0 bytes inside a block of size 10 free'd
==1916==    at 0x4A0662E: free (vg_replace_malloc.c:366)
==1916==    by 0x38CDA5513E: g_free (gmem.c:252)
==1916==    by 0x38D1255908: _g_file_attribute_value_clear (gfileattribute.c:245)
==1916==    by 0x38D125A078: g_file_info_finalize (gfileinfo.c:324)
==1916==    by 0x38CEA1670F: g_object_unref (gobject.c:3018)
==1916==    by 0x47EA05: ephy_web_view_load_error_page (ephy-web-view.c:1974)
==1916==    by 0x47F6B2: load_error_cb (ephy-web-view.c:2119)
==1916==    by 0x38E8E7753F: webkit_marshal_BOOLEAN__OBJECT_STRING_POINTER (in /usr/lib64/libwebkitgtk-3.0.so.0.11.0)
==1916==    by 0x38CEA11381: g_closure_invoke (gclosure.c:777)
==1916==    by 0x38CEA23132: signal_emit_unlocked_R (gsignal.c:3547)
==1916==    by 0x38CEA2AEE1: g_signal_emit_valist (gsignal.c:3306)
==1916==    by 0x38CEA2BE83: g_signal_emit_by_name (gsignal.c:3389)

The line numbers are from Epiphany 3.2.1, and match up like so inside get_file_content_as_base64():

1974:  g_object_unref (file_info);
1978:  image64 = g_strdup_printf ("data:%s;base64,%s", image_type, image_data);
Comment 1 Claudio Saavedra 2012-06-09 10:38:58 UTC 

*** This bug has been marked as a duplicate of bug 677025 ***
Comment 2 Claudio Saavedra 2012-06-11 09:23:35 UTC 
We committed this anyway, since Carlos' patch is a bit more complex and I think
we need to solve this already.