GNOME Bugzilla – Bug 409101
invalid read to gtkicontheme.c insert_theme(), might cause gnome-panel crash
Last modified: 2007-02-26 14:14:04 UTC
The Ubuntu bug tracker has a bunch of gnome-panel crashes happening on upgrade or package installation (https://launchpad.net/ubuntu/+source/gnome-panel/+bug/85776), valgrind point some GTK problem that could be the cause of that: ==8991== Invalid read of size 1 ==8991== at 0x40222BE: strcmp (mc_replace_strmem.c:341) ==8991== by 0x48675F3: g_str_equal (gstring.c:77) ==8991== by 0x483E81E: g_hash_table_insert (ghash.c:240) ==8991== by 0x437F35C: insert_theme (gtkicontheme.c:2213) ==8991== by 0x4380BBD: ensure_valid_themes (gtkicontheme.c:1044) ==8991== by 0x4381277: gtk_icon_theme_get_icon_sizes (gtkicontheme.c:1493) ==8991== by 0x44D99E7: icon_list_from_theme (gtkwindow.c:2767) ==8991== by 0x44DA011: gtk_window_realize_icon (gtkwindow.c:2851) ==8991== by 0x47FA9C8: g_cclosure_marshal_VOID__VOID (gmarshal.c:77) ==8991== by 0x47ED62A: g_closure_invoke (gclosure.c:490) ==8991== by 0x47FE0F2: signal_emit_unlocked_R (gsignal.c:2440) ==8991== by 0x47FF616: g_signal_emit_valist (gsignal.c:2199) ==8991== Address 0x5924B80 is 0 bytes inside a block of size 7 free'd ==8991== at 0x4020F9A: free (vg_replace_malloc.c:233) ==8991== by 0x4851F90: g_free (gmem.c:187) ==8991== by 0x483E730: g_hash_table_replace (ghash.c:390) ==8991== by 0x437F33F: insert_theme (gtkicontheme.c:2212) ==8991== by 0x4380BBD: ensure_valid_themes (gtkicontheme.c:1044) ==8991== by 0x4381277: gtk_icon_theme_get_icon_sizes (gtkicontheme.c:1493) ==8991== by 0x44D99E7: icon_list_from_theme (gtkwindow.c:2767) ==8991== by 0x44DA011: gtk_window_realize_icon (gtkwindow.c:2851) ==8991== by 0x47FA9C8: g_cclosure_marshal_VOID__VOID (gmarshal.c:77) ==8991== by 0x47ED62A: g_closure_invoke (gclosure.c:490) ==8991== by 0x47FE0F2: signal_emit_unlocked_R (gsignal.c:2440) ==8991== by 0x47FF616: g_signal_emit_valist (gsignal.c:2199)"
This seems to be a simple ordering issue between replacing in the first hash table and inserting into the second table. With a duplicate base_name, the first replace will free the key which also being used as the key in the second hash table. Simply switching the order of the replace/insert should prevent this... Index: gtk/gtkicontheme.c =================================================================== --- gtk/gtkicontheme.c (revision 17333) +++ gtk/gtkicontheme.c (working copy) @@ -2207,8 +2207,8 @@ base_name = strip_suffix (name); hash_suffix = GPOINTER_TO_INT (g_hash_table_lookup (dir->icons, base_name)); + g_hash_table_insert (icon_theme->all_icons, base_name, NULL); g_hash_table_replace (dir->icons, base_name, GUINT_TO_POINTER (hash_suffix| suffix)); - g_hash_table_insert (icon_theme->all_icons, base_name, NULL); } g_dir_close (gdir);
Looks right. Please commit to both branches
Commited: gtk+-2.10 r17352 and trunk r17353. 2007-02-26 Chris Wilson <chris@chris-wilson.co.uk> Bug 409101 – invalid read to gtkicontheme.c insert_theme(), might cause gnome-panel crash * gtk/gtkicontheme.c: (scan_directory): Reorder the replacement of the shared base_name key, so that we avoid dereferencing the string in the icon_theme->all_icon hash table after freeing it from the dir->icons hash table.