Bug 662568 – [regression] Use-after-free in Templates plugin signal handlers

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 662568 - [regression] Use-after-free in Templates plugin signal handlers


Summary:	[regression] Use-after-free in Templates plugin signal handlers


Status:	RESOLVED FIXED

Product:	evolution
Classification:	Applications
Component:	Mailer
Version:	3.4.x (obsolete)
Hardware:	Other Linux

Importance:	Normal critical
Target Milestone:	---
Assigned To:	evolution-mail-maintainers
QA Contact:	Evolution QA team

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2011-10-24 01:15 UTC by David Ronis
Modified:	2013-03-25 13:15 UTC

See Also:
GNOME target:	---
GNOME version:	---

Attachments
evo patch (1.78 KB, patch) 2012-12-17 15:08 UTC, Milan Crha	committed	Details \| Review

Description David Ronis 2011-10-24 01:15:33 UTC

I'd just finished building/installing/rstarting the git/master of evo and friends.   I'd deleted an entry in my templates folder and was trying to copy the contents of another template to an e-mail I was 
composing.

Core was generated by `evolution'.
Program terminated with signal 11, Segmentation fault.

+ Trace 228898

Thread 1 (Thread 29357)

#0 gtk_ui_manager_ensure_update
at gtkuimanager.c line 3134
#1 rebuild_template_menu
at templates.c line 1294
#2 g_cclosure_marshal_VOID__POINTER
at gmarshal.c line 609
#3 g_closure_invoke
at gclosure.c line 774
#4 signal_emit_unlocked_R
at gsignal.c line 3272
#5 g_signal_emit_valist
at gsignal.c line 3003
#6 g_signal_emit
at gsignal.c line 3060
#7 folder_emit_changed_cb
at camel-folder.c line 173
#8 g_idle_dispatch
at gmain.c line 4506
#9 g_main_dispatch
at gmain.c line 2387
#10 g_main_context_dispatch
at gmain.c line 2924
#11 g_main_context_iterate
at gmain.c line 2995
#12 g_main_context_iterate
at gmain.c line 2932
#13 g_main_loop_run
at gmain.c line 3189
#14 gtk_main
at gtkmain.c line 1362
#15 main
at main.c line 686

Comment 1 Milan Crha 2011-10-24 13:00:35 UTC

Could you provide steps with what you click & press, please? I tried to reproduce by the description steps, but no luck. The best if you can do it with fresh evolution. Thanks in advance.

Comment 2 Fabio Durán Verdugo 2011-12-10 18:06:47 UTC

David can you reply the comment 1 ? thank

Comment 3 David Ronis 2011-12-11 17:12:16 UTC

I thought that I'd done the following:

In the mailer 

press  New
The go back to the mail UI and select one of my templates.
Highlight the portion of the template you want in the new message, and press copy.
Go back to the new message and press paste.

I just tried this and it worked as expected.
(maybe this is a consequence of some other bug that was fixed).
I guess you should close this.

Comment 4 Milan Crha 2012-01-04 10:27:24 UTC

Donwstream bug report about the same from 3.2.2:
https://bugzilla.redhat.com/show_bug.cgi?id=771371

Comment 5 Milan Crha 2012-06-05 07:09:05 UTC

Downstream bug report about the same from 3.4.1:
https://bugzilla.redhat.com/show_bug.cgi?id=828590

comment:        Sending a mail with large attachments, and attempted to save as template because sending stalled for minutes

Core was generated by `evolution'.
Program terminated with signal 11, Segmentation fault.

+ Trace 230310

Thread 1 (Thread 0x7f67aeebc9c0 (LWP 1408))

#0 gtk_ui_manager_ensure_update
at gtkuimanager.c line 3186
#1 rebuild_template_menu
at templates.c line 1323
#2 g_closure_invoke
at gclosure.c line 777
#3 signal_emit_unlocked_R
at gsignal.c line 3547
#4 g_signal_emit_valist
at gsignal.c line 3296
#5 g_signal_emit
at gsignal.c line 3352
#6 folder_emit_changed_cb
at camel-folder.c line 190
#7 g_main_dispatch
at gmain.c line 2539
#8 g_main_context_dispatch
at gmain.c line 3075
#9 g_main_context_iterate
at gmain.c line 3146
#10 g_main_loop_run
at gmain.c line 3340
#11 gtk_main
at gtkmain.c line 1161
#12 main
at main.c line 681

Comment 6 Matthew Barnes 2012-06-06 16:17:47 UTC

I noticed in the Templates plugin, the signal handlers we connect to the Templates folder and local store in response to a new mail shell view are never disconnected.  So if the shell window gets destroyed and Evolution keeps running, the signal handlers for the destroyed window will continue to run.

Need to make sure the signal handlers get cleaned up.

Comment 7 Milan Crha 2012-12-17 15:08:19 UTC

Created attachment 231726 [details] [review]
evo patch

for evolution;

This fixes it. It's like Matthew wrote, the signals are not disconnected when the ShellWindow dies, thus the callbacks operate on a freed memory. I'm postponing the patch for time when 3.7.3.1 is out.

Comment 8 Milan Crha 2013-03-25 13:15:03 UTC

Oops, I completely forgot of this bug report :-/

Created commit 7bd4880 in evo master (3.9.1+)
Created commit 6dc98a0 in evo gnome-3-8 (3.8.1+)