Bug 628526 – gnome-settings-daemon crashes in gsd-clipboard-manager.c:628 conversions is NULL

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 628526 - gnome-settings-daemon crashes in gsd-clipboard-manager.c:628 conversions is NULL


Summary:	gnome-settings-daemon crashes in gsd-clipboard-manager.c:628 conversions is NULL


Status:	RESOLVED FIXED

Product:	gnome-settings-daemon
Classification:	Core
Component:	plugins
Version:	2.30.x
Hardware:	Other Linux

Importance:	Normal major
Target Milestone:	---
Assigned To:	gnome-settings-daemon-maint
QA Contact:	gnome-settings-daemon-maint

URL:
Whiteboard:

Duplicates:	628926 (view as bug list)
Depends on:
Blocks:

Reported:	2010-09-01 16:17 UTC by Krzysztof Klimonda
Modified:	2010-09-23 16:33 UTC

See Also:	https://launchpad.net/bugs/626379
GNOME target:	---
GNOME version:	---

Attachments
return if conversions == NULL (786 bytes, patch) 2010-09-02 12:03 UTC, Krzysztof Klimonda	none	Details \| Review
return early from convert_clipboard is nitems is set to 0 (900 bytes, patch) 2010-09-14 16:01 UTC, Krzysztof Klimonda	committed	Details \| Review

Description Krzysztof Klimonda 2010-09-01 16:17:51 UTC

(gdb) bt full

+ Trace 223513

#0 convert_clipboard
at gsd-clipboard-manager.c line 628
#1 clipboard_manager_process_event
at gsd-clipboard-manager.c line 791
#2 clipboard_manager_event_filter
at gsd-clipboard-manager.c line 807
#3 ??
from /usr/lib/libgdk-x11-2.0.so.0
#4 ??
from /usr/lib/libgdk-x11-2.0.so.0
#5 ??
from /usr/lib/libgdk-x11-2.0.so.0
#6 g_main_context_dispatch
from /lib/libglib-2.0.so.0
#7 ??
from /lib/libglib-2.0.so.0
#8 g_main_loop_run
from /lib/libglib-2.0.so.0
#9 gtk_main
from /usr/lib/libgtk-x11-2.0.so.0
#10 main


It looks like XGetWindowProperty sets &type to XA_ATOM_PAIR and &nitems to 0 so the following loop is never evaluated and later, when we access conversions->next it dies.

I can't reproduce it myself, reporter has managed to crash g-s-d by using kolourpaint4 but I couldn't do it - probably I don't know how to connect KDE applications to g-s-d.

Comment 1 Krzysztof Klimonda 2010-09-02 12:03:37 UTC

Created attachment 169356 [details] [review]
return if conversions == NULL

We could probably remove critical message completely but the patch is from the downstream bug and I've decided to display it so we know something isn't right.

Comment 2 Krzysztof Klimonda 2010-09-14 16:01:54 UTC

Created attachment 170257 [details] [review]
return early from convert_clipboard is nitems is set to 0

XGetWindowProperty returns Success but still sets nitems_return to 0 - I'm not sure whether it's a bug in function or is it a valid result. If nitems_return is set to 0 return early to avoid crash on accessing a "next" field of the NULL conversions pointer.

XGetWindowProperty manual also states that the function always allocates one more byte for prop_return (which is multiple in g-s-d code) so freeing it is supposed to be safe - but I'm not sure if it allocates this byte even if actual_type_return is set to None so lets check whether multiple isn't NULL before freeing it.

Comment 3 Rodrigo Moya 2010-09-15 10:33:14 UTC

Review of attachment 170257 [details] [review]:

Committed to both master and gnome-2-32 branch

Comment 4 Bastien Nocera 2010-09-23 16:33:17 UTC

*** Bug 628926 has been marked as a duplicate of this bug. ***