After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 752824 - Zeitgeist plugin read/write after free on datasource registration
Zeitgeist plugin read/write after free on datasource registration
Status: RESOLVED FIXED
Product: gedit-plugins
Classification: Other
Component: General
unspecified
Other Linux
: Normal normal
: ---
Assigned To: Gedit maintainers
Gedit maintainers
Depends on:
Blocks:
 
 
Reported: 2015-07-24 12:51 UTC by Steve Dodier
Modified: 2019-03-23 20:35 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
Patch (548 bytes, patch)
2015-07-24 12:51 UTC, Steve Dodier 		none Details | Review
Git-formatted patch for gedit-plugins trunk (1.03 KB, patch)
2015-07-31 06:52 UTC, Steve Dodier 		none Details | Review

Description Steve Dodier 2015-07-24 12:51:24 UTC 
Created attachment 308077 [details] [review]
Patch

The Zeitgeist plugin creates a GPtrArray to give to libzeitgeist when registering a Zeitgeist datasource. libzeitgeist internally sinks this reference, but the plugin assumes the GPtrArray to still be available and later attempts to unref it.

The attached patch adds a reference to the GPtrArray to keep it available until the end of the plugin's initialisation code, where it is unrefed.
Comment 1 Sébastien Wilmet 2015-07-30 15:29:59 UTC 
Review of attachment 308077 [details] [review]:

It's easier for us if the patch is created with the 'git format-patch' command, with a good commit message.
Otherwise, the diff looks good.
Comment 2 Steve Dodier 2015-07-31 06:52:25 UTC 
Created attachment 308512 [details] [review]
Git-formatted patch for gedit-plugins trunk

Here you go!
Comment 3 Sébastien Wilmet 2015-07-31 09:35:29 UTC 
Pushed:
https://git.gnome.org/browse/gedit-plugins/commit/?id=741952f0986d5c1bdf8a11f06144010613fe34d2

I had to fix the indentation (!), and the commit message. The first line of the commit message should be short, no longer than 72 characters. See the HACKING file in the main gedit repository (not gedit-plugins).
Comment 4 Robert Ancell 2015-08-12 23:43:05 UTC 
Wouldn't the patch be simpler just to move the g_ptr_array_set_free_func call before it's passed to zeitgeist_data_source_new_full? Then it wouln't need the ref/unref.
Comment 5 Robert Ancell 2015-08-13 02:15:15 UTC 
Re-reading the code I'm even more confused about the reference counting. I *think* the reference is just being kept for the PtrArray just to unref the single event object inside it. So you could probably just unref the event after calling zeitgeist_data_source_new_full and that would be simpler.
Comment 6 Steve Dodier 2015-08-13 17:57:05 UTC 
Sorry it took me so long to get back to you. You're perfectly right, it makes little sense to re-reference the structure rather than simply removing the incorrect unref. The code is semantically equivalent but has dead code.

The reason I decided to do it this way is human factors. The person who wrote this code in the first place might have been unfamiliar with libzeitgeist, since she did not realise the called function took ownership of its parameter. That person is likelier than someone else to maintain the code in the future, and this bug has existed for ~4 years and caused multiple reports of crashes without anyone finding out how to fix it. I stumbled upon the issue by pure chance myself, because of my own hacking of libzeitgeist internal state. I chose to make sure the offending object is available wherever the original developer assumed it was so that the bug isn't reintroduced in the future.

If you're confident this is unlikely to happen (or that you'll be more prepared to link crash reports to this specific plugin), I will happily agree with you that it's preferable to remove the redundant unref instead. I've just preferred to be overly cautious :-)