After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 616098 - [PATCH] fix access after free
[PATCH] fix access after free
Status: RESOLVED FIXED
Product: yelp
Classification: Applications
Component: Crashers
3.0.x
Other Linux
: Normal normal
: ---
Assigned To: Yelp maintainers
Yelp maintainers
Depends on:
Blocks:
 
 
Reported: 2010-04-18 14:04 UTC by Edward Sheldrake
Modified: 2011-09-05 20:53 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
fix access after free (578 bytes, patch)
2010-04-18 14:04 UTC, Edward Sheldrake 		none Details | Review
Fix access after free (1.02 KB, patch)
2011-03-30 15:36 UTC, Edward Sheldrake 		none Details | Review
Fix crash due to access after free (1.03 KB, patch)
2011-08-30 20:13 UTC, Edward Sheldrake 		committed Details | Review

Description Edward Sheldrake 2010-04-18 14:04:04 UTC 
Created attachment 159008 [details] [review]
fix access after free

This patch fixes hundreds of valgrind warnings when parsing info pages, of the form:

413 errors in context 3 of 4:
Invalid read of size 1
   at 0x4027DAD: stpcpy (mc_replace_strmem.c:573)
   by 0x4B72382: g_stpcpy (in /lib/libglib-2.0.so.0.2400.0)
   by 0x4B72673: g_strconcat (in /lib/libglib-2.0.so.0.2400.0)
   by 0x807883B: info_process_text_notes (yelp-info-parser.c:1195)
   by 0x8077BD9: parse_tree_level (yelp-info-parser.c:851)
   by 0x8077C81: parse_tree_level (yelp-info-parser.c:866)
   by 0x8077D85: yelp_info_parser_parse_tree (yelp-info-parser.c:897)
   by 0x8075C56: info_process (yelp-info.c:392)
   by 0x4B79378: ??? (in /lib/libglib-2.0.so.0.2400.0)
   by 0x4DC8AB4: start_thread (in /lib/libpthread-2.11.1.so)
   by 0x500EDAD: clone (in /lib/libc-2.11.1.so)
 Address 0x55172c6 is 14 bytes inside a block of size 21 free'd
   at 0x40257F6: free (vg_replace_malloc.c:325)
   by 0x4B5A17C: g_free (in /lib/libglib-2.0.so.0.2400.0)
   by 0x8078821: info_process_text_notes (yelp-info-parser.c:1194)
   by 0x8077BD9: parse_tree_level (yelp-info-parser.c:851)
   by 0x8077C81: parse_tree_level (yelp-info-parser.c:866)
   by 0x8077D85: yelp_info_parser_parse_tree (yelp-info-parser.c:897)
   by 0x8075C56: info_process (yelp-info.c:392)
   by 0x4B79378: ??? (in /lib/libglib-2.0.so.0.2400.0)
   by 0x4DC8AB4: start_thread (in /lib/libpthread-2.11.1.so)
   by 0x500EDAD: clone (in /lib/libc-2.11.1.so)

I don't think it fixes any user visible issue.
Comment 1 Edward Sheldrake 2011-03-30 15:33:51 UTC 
On Fedora 14 with glibc 2.13, the patch now fixes a crash when trying to open info docs.
Comment 2 Edward Sheldrake 2011-03-30 15:36:18 UTC 
Created attachment 184703 [details] [review]
Fix access after free

The same patch, but for git master, and untested.
Comment 3 Edward Sheldrake 2011-04-22 15:25:41 UTC 
backtrace from unpatched yelp 3.0.0 for "yelp info:bison"

Program received signal SIGSEGV, Segmentation fault.
(gdb) bt full

+ Trace 226846

  • #0 __strchr_sse2
    from /lib64/libc.so.6
  • #1 info_process_text_notes
    at yelp-info-parser.c line 1450
  • #2 parse_tree_level
    at yelp-info-parser.c line 1018
  • #3 parse_tree_level
    at yelp-info-parser.c line 1042
  • #4 parse_tree_level
    at yelp-info-parser.c line 1042
  • #5 yelp_info_parser_parse_tree
    at yelp-info-parser.c line 1073
  • #6 info_document_process
    at yelp-info-document.c line 393
  • #7 ??
    from /lib64/libglib-2.0.so.0
  • #8 start_thread
    from /lib64/libpthread.so.0
  • #9 clone
    from /lib64/libc.so.6 


I've now tested the second patch, it fixes the crash.
Comment 4 Edward Sheldrake 2011-08-30 20:13:14 UTC 
Created attachment 195246 [details] [review]
Fix crash due to access after free

The same patch, re-done against yelp master (3.1.2).
Comment 5 Shaun McCance 2011-09-05 20:53:25 UTC 
Pushed to master. Thanks.