After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 409101 - invalid read to gtkicontheme.c insert_theme(), might cause gnome-panel crash
invalid read to gtkicontheme.c insert_theme(), might cause gnome-panel crash
Status: RESOLVED FIXED
Product: gtk+
Classification: Platform
Component: Widget: Other
2.10.x
Other Linux
: Normal critical
: ---
Assigned To: gtk-bugs
gtk-bugs
Depends on:
Blocks:
 
 
Reported: 2007-02-17 23:42 UTC by Sebastien Bacher
Modified: 2007-02-26 14:14 UTC
See Also:
GNOME target: ---
GNOME version: 2.17/2.18



Description Sebastien Bacher 2007-02-17 23:42:13 UTC
The Ubuntu bug tracker has a bunch of gnome-panel crashes happening on upgrade or package installation (https://launchpad.net/ubuntu/+source/gnome-panel/+bug/85776), valgrind point some GTK problem that could be the cause of that:

==8991== Invalid read of size 1
==8991== at 0x40222BE: strcmp (mc_replace_strmem.c:341)
==8991== by 0x48675F3: g_str_equal (gstring.c:77)
==8991== by 0x483E81E: g_hash_table_insert (ghash.c:240)
==8991== by 0x437F35C: insert_theme (gtkicontheme.c:2213)
==8991== by 0x4380BBD: ensure_valid_themes (gtkicontheme.c:1044)
==8991== by 0x4381277: gtk_icon_theme_get_icon_sizes (gtkicontheme.c:1493)
==8991== by 0x44D99E7: icon_list_from_theme (gtkwindow.c:2767)
==8991== by 0x44DA011: gtk_window_realize_icon (gtkwindow.c:2851)
==8991== by 0x47FA9C8: g_cclosure_marshal_VOID__VOID (gmarshal.c:77)
==8991== by 0x47ED62A: g_closure_invoke (gclosure.c:490)
==8991== by 0x47FE0F2: signal_emit_unlocked_R (gsignal.c:2440)
==8991== by 0x47FF616: g_signal_emit_valist (gsignal.c:2199)
==8991== Address 0x5924B80 is 0 bytes inside a block of size 7 free'd
==8991== at 0x4020F9A: free (vg_replace_malloc.c:233)
==8991== by 0x4851F90: g_free (gmem.c:187)
==8991== by 0x483E730: g_hash_table_replace (ghash.c:390)
==8991== by 0x437F33F: insert_theme (gtkicontheme.c:2212)
==8991== by 0x4380BBD: ensure_valid_themes (gtkicontheme.c:1044)
==8991== by 0x4381277: gtk_icon_theme_get_icon_sizes (gtkicontheme.c:1493)
==8991== by 0x44D99E7: icon_list_from_theme (gtkwindow.c:2767)
==8991== by 0x44DA011: gtk_window_realize_icon (gtkwindow.c:2851)
==8991== by 0x47FA9C8: g_cclosure_marshal_VOID__VOID (gmarshal.c:77)
==8991== by 0x47ED62A: g_closure_invoke (gclosure.c:490)
==8991== by 0x47FE0F2: signal_emit_unlocked_R (gsignal.c:2440)
==8991== by 0x47FF616: g_signal_emit_valist (gsignal.c:2199)"
Comment 1 Chris Wilson 2007-02-19 09:08:44 UTC
This seems to be a simple ordering issue between replacing in the first hash table and inserting into the second table. With a duplicate base_name, the first replace will free the key which also being used as the key in the second hash table. Simply switching the order of the replace/insert should prevent this...

Index: gtk/gtkicontheme.c
===================================================================
--- gtk/gtkicontheme.c  (revision 17333)
+++ gtk/gtkicontheme.c  (working copy)
@@ -2207,8 +2207,8 @@
       base_name = strip_suffix (name);
 
       hash_suffix = GPOINTER_TO_INT (g_hash_table_lookup (dir->icons, base_name));
+      g_hash_table_insert (icon_theme->all_icons, base_name, NULL);
       g_hash_table_replace (dir->icons, base_name, GUINT_TO_POINTER (hash_suffix| suffix));
-      g_hash_table_insert (icon_theme->all_icons, base_name, NULL);
     }
   
   g_dir_close (gdir);
Comment 2 Matthias Clasen 2007-02-26 13:59:45 UTC
Looks right. Please commit to both branches
Comment 3 Chris Wilson 2007-02-26 14:14:04 UTC
Commited: gtk+-2.10 r17352 and trunk r17353.

2007-02-26  Chris Wilson  <chris@chris-wilson.co.uk>

	Bug 409101 – invalid read to gtkicontheme.c insert_theme(), might cause gnome-panel crash

	* gtk/gtkicontheme.c: (scan_directory):
		Reorder the replacement of the shared base_name key, so that we
		avoid dereferencing the string in the icon_theme->all_icon
		hash table after freeing it from the dir->icons hash table.