GNOME Bugzilla – Bug 646771
Use after free() in Pasted Defined Names dialog.
Last modified: 2011-09-08 16:26:50 UTC
This bug was detected by keytest, feel free to close if it is not helpful. Keycodes: '''KO: \AinKO: \C\[Escape]'''\[!Loop] To reproduce: 1) Press Alt-I, N to open "Paste Defined Names" dialog (KO: \Ai)(KK: n) 2) Press Escape to close dialog (KO: \C\[Escape]) 3) Go back to 1 (Loop) I then get the following warnings in valigrind: ==12960== Memcheck, a memory error detector ==12960== Copyright (C) 2002-2009, and GNU GPL'd, by Julian Seward et al. ==12960== Using Valgrind-3.6.0.SVN-Debian and LibVEX; rerun with -h for copyright info ==12960== Command: /usr/local/bin/gnumeric ==12960== ** (/usr/local/bin/gnumeric:12960): WARNING **: Running under buggy valgrind, see http://bugs.kde.org/show_bug.cgi?id=164298 ==12960== Invalid read of size 4 ==12960== at 0x4EFE1A1: cb_free_keyed_dialog_context (in /usr/local/lib/libspreadsheet-1.10.14.so) ==12960== by 0x81EA8F1: g_datalist_clear (in /lib/libglib-2.0.so.0.2400.1) ==12960== by 0x79775A3: g_object_unref (in /usr/lib/libgobject-2.0.so.0.2400.1) ==12960== by 0x5D2571A: gtk_main_do_event (gtkmain.c:1647) ==12960== by 0x626886B: gdk_event_dispatch (gdkevents-x11.c:2372) ==12960== by 0x81FF8C1: g_main_context_dispatch (in /lib/libglib-2.0.so.0.2400.1) ==12960== by 0x8203747: ??? (in /lib/libglib-2.0.so.0.2400.1) ==12960== by 0x8203C54: g_main_loop_run (in /lib/libglib-2.0.so.0.2400.1) ==12960== by 0x5D25BB6: gtk_main (gtkmain.c:1219) ==12960== by 0x404D0F: main (in /usr/local/bin/gnumeric-1.10.14) ==12960== Address 0xf938ee8 is 24 bytes inside a block of size 32 free'd ==12960== at 0x4C270BD: free (vg_replace_malloc.c:366) ==12960== by 0x81EB46D: g_datalist_id_set_data_full (in /lib/libglib-2.0.so.0.2400.1) ==12960== by 0x4EFE1E4: cb_free_keyed_dialog_context (in /usr/local/lib/libspreadsheet-1.10.14.so) ==12960== by 0x81EB286: g_datalist_id_set_data_full (in /lib/libglib-2.0.so.0.2400.1) ==12960== by 0x4EFF030: gnumeric_keyed_dialog (in /usr/local/lib/libspreadsheet-1.10.14.so) ==12960== by 0x4FD1DA1: name_guru_init (in /usr/local/lib/libspreadsheet-1.10.14.so) ==12960== by 0x4FD2070: dialog_paste_names (in /usr/local/lib/libspreadsheet-1.10.14.so) ==12960== by 0x79755DD: g_closure_invoke (in /usr/lib/libgobject-2.0.so.0.2400.1) ==12960== by 0x7989597: ??? (in /usr/lib/libgobject-2.0.so.0.2400.1) ==12960== by 0x798AA75: g_signal_emit_valist (in /usr/lib/libgobject-2.0.so.0.2400.1) ==12960== by 0x798B032: g_signal_emit (in /usr/lib/libgobject-2.0.so.0.2400.1) ==12960== by 0x5C66262: _gtk_action_emit_activate (gtkaction.c:755) ==12960== Arch: x86_64 libgtk2.0-0: 2.20.1-0ubuntu2 I have not been able to reproduce the following bactrace manually, but keytest gives the following segmentation fault and backtrace. Program received signal SIGSEGV, Segmentation fault. 0x00007ffff5086160 in g_type_check_instance_cast () from /usr/lib/libgobject-2.0.so.0
+ Trace 226585
For more info see the Keytest Report http://gmatht.homelinux.net/xp/keytest/html_out/out/gnumeric_3//html//1301882527.html
I have just committed the fix to a mistake in the code in question: http://git.gnome.org/browse/gnumeric/commit/?id=29bbd775c945ec7a7839e5a5f639f194154ec71c I suspect that this fix will fix the segmentation fault in question. Would you be able to retest whether my fix in fact corrects this problem?
Cannot reproduce on latest git.
*** Bug 655258 has been marked as a duplicate of this bug. ***