Bug 686091 – Invalid reads in g_bytes_unref_to_data

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 686091 - Invalid reads in g_bytes_unref_to_data


Summary:	Invalid reads in g_bytes_unref_to_data


Status:	RESOLVED FIXED

Product:	glib
Classification:	Platform
Component:	general
Version:	2.34.x
Hardware:	Other Linux

Importance:	Normal normal
Target Milestone:	---
Assigned To:	gtkdev
QA Contact:	gtkdev

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2012-10-13 15:28 UTC by Miguel Angel Cabrera Moya
Modified:	2012-10-17 09:42 UTC

See Also:
GNOME target:	---
GNOME version:	---

Attachments
Proposed fix (2.06 KB, patch) 2012-10-14 10:48 UTC, Miguel Angel Cabrera Moya	none	Details \| Review

Description Miguel Angel Cabrera Moya 2012-10-13 15:28:26 UTC

In g_bytes_unref_to_data there were invalid reads when first calling try_steal_and_unref and then using the unreferenced 'bytes'. There were also a double free when bytes->data was NULL.

This is a proposed fix

Comment 1 Matthias Clasen 2012-10-14 01:35:36 UTC

Forgotten patch ?

Comment 2 Miguel Angel Cabrera Moya 2012-10-14 10:48:30 UTC

Created attachment 226407 [details] [review]
Proposed fix

Comment 3 Matthias Clasen 2012-10-15 23:15:28 UTC

I don't follow. If try_steal_and_unref returns NULL, no unref has happened.
Do you have a testcase that shows the claimed invalid reads or double frees ?

Comment 4 Miguel Angel Cabrera Moya 2012-10-16 08:24:27 UTC

For the double free, if bytes->ref_count is 1 and bytes->data is NULL there is a free in try_steal_and_unref and then there is another free because result == NULL

For the invalid reads it is similar, result == NULL and the "bytes" structure is accessed for duplicating the data.