Bug 342894 – Use after free inside gtk_text_view_set_buffer

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 342894 - Use after free inside gtk_text_view_set_buffer


Summary:	Use after free inside gtk_text_view_set_buffer


Status:	RESOLVED FIXED

Product:	gtk+
Classification:	Platform
Component:	Widget: GtkTextView
Version:	2.9.x
Hardware:	Other All

Importance:	Normal normal
Target Milestone:	---
Assigned To:	gtk-bugs
QA Contact:	gtk-bugs

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2006-05-25 07:38 UTC by Chris Wilson
Modified:	2006-05-29 08:39 UTC

See Also:
GNOME target:	---
GNOME version:	---

Attachments
Reduce loop to single if (714 bytes, patch) 2006-05-26 23:17 UTC, Chris Wilson	none	Details \| Review

Description Chris Wilson 2006-05-25 07:38:33 UTC

Valgrind report:
==31503== Invalid read of size 4
==31503==    at 0x64A50EB: (within /usr/lib/libgtk-x11-2.0.so.0.901.0)
==31503==    by 0x64A7E08: gtk_text_view_set_buffer (in /usr/lib/libgtk-x11-2.0.so.0.901.0)
==31503==    by 0x804E7C2: main (main.c:561)
==31503==  Address 0x898C778 is 8 bytes inside a block of size 12 free'd
==31503==    at 0x4004E41: free (vg_replace_malloc.c:235)
==31503==    by 0x5FA79E0: g_free (in /usr/lib/libglib-2.0.so.0.1101.0)
==31503==    by 0x644904C: gtk_target_list_remove (in /usr/lib/libgtk-x11-2.0.so.0.901.0)
==31503==    by 0x64A5100: (within /usr/lib/libgtk-x11-2.0.so.0.901.0)
==31503==    by 0x64A7E08: gtk_text_view_set_buffer (in /usr/lib/libgtk-x11-2.0.so.0.901.0)
==31503==    by 0x804E7C2: main (main.c:561)

The sequence of events is:
buf=gtk_text_buffer_new()
... load some glade widgets ...
gtk_text_view_set_buffer(A_GLADE_WIDGET, buf)

Unfortunately I've yet to reproduce it with a simple test case.

Comment 1 Matthias Clasen 2006-05-26 13:29:18 UTC

Looks like something goes wrong in the rich text code, but
it is hard to say without a smaller test case. The code doesn't
look obviously wrong to me.

Comment 2 Chris Wilson 2006-05-26 23:16:14 UTC

Still searching for the elusive trigger... In the meantime here's the valgrind report against CVS:

==26066== Invalid read of size 4
==26066==    at 0x46F2E6B: gtk_text_view_target_list_notify (gtktextview.c:6894)
==26066==    by 0x46F5B88: gtk_text_view_set_buffer (gtktextview.c:1207)
==26066==    by 0x804E653: main (main.c:575)
==26066==  Address 0x764D638 is 8 bytes inside a block of size 12 free'd
==26066==    at 0x401FE41: free (vg_replace_malloc.c:235)
==26066==    by 0x49209E0: g_free (gmem.c:187)
==26066==    by 0x4696F1C: gtk_target_list_remove (gtkselection.c:517)
==26066==    by 0x46F2E80: gtk_text_view_target_list_notify (gtktextview.c:6895)
==26066==    by 0x46F5B88: gtk_text_view_set_buffer (gtktextview.c:1207)
==26066==    by 0x804E653: main (main.c:575)

Ah, I think I see it...

valgrind is simply complaining about looping and testing pair->info even though we have just freed pair.

Simple fix attached.

Comment 3 Chris Wilson 2006-05-26 23:17:29 UTC

Created attachment 66310 [details] [review]
Reduce loop to single if

Comment 4 Michael Natterer 2006-05-29 08:08:33 UTC

Right, that loop is more than useless :) thanks for the patch, will
apply it right away.

(next time, please use "cvs diff -up" so the patch is more readable,
or simply add "diff -up" to your ~/.cvsrc)

Comment 5 Michael Natterer 2006-05-29 08:39:31 UTC

Fixed in CVS:

2006-05-29  Michael Natterer  <mitch@imendio.com>

	* gtk/gtktextview.c (gtk_text_view_target_list_notify): applied
	patch from Chris Wilson which replaces a useless loop with
	built-in access to free'd memory by a simple integer comparison.
	Fixes bug #342894.