GNOME Bugzilla – Bug 686445
Use-after-free in panel_object_loader_stop_loading()
Last modified: 2012-10-26 13:21:14 UTC
Extracting this from bug #683406: Valgrind claims use-after-free in panel_object_loader_stop_loading() Invalid read of size 1 at 0x4C2A054: __GI_strcmp (mc_replace_strmem.c:712) by 0x45F7D7: panel_object_loader_stop_loading (panel-object-loader.c:125) by 0x45FE70: panel_object_loader_idle_handler (panel-object-loader.c:241) by 0x7B70204: g_main_context_dispatch (gmain.c:2539) by 0x7B70537: g_main_context_iterate.isra.23 (gmain.c:3146) by 0x7B70931: g_main_loop_run (gmain.c:3340) by 0x5A072D4: gtk_main (gtkmain.c:1161) by 0x424E9E: main (main.c:117) Address 0x16cf54b0 is 0 bytes inside a block of size 9 free'd at 0x4C27D4E: free (vg_replace_malloc.c:427) by 0x45F66B: free_object_to_load (panel-object-loader.c:75) by 0x45F7B1: panel_object_loader_stop_loading (panel-object-loader.c:120) by 0x45FE70: panel_object_loader_idle_handler (panel-object-loader.c:241) by 0x7B70204: g_main_context_dispatch (gmain.c:2539) by 0x7B70537: g_main_context_iterate.isra.23 (gmain.c:3146) by 0x7B70931: g_main_loop_run (gmain.c:3340) by 0x5A072D4: gtk_main (gtkmain.c:1161) by 0x424E9E: main (main.c:117)
Created attachment 226822 [details] [review] proposed gp patch for gnome-panel; This one is still valid in current master. The 'id' passed into panel_object_loader_stop_loading() can be object->id, but the object is freed within free_object_to_load(), same as 'id', which makes the memory invalid, if freed in the first for in the function.
Comment on attachment 226822 [details] [review] proposed gp patch Good catch, please commit. Just make sure to use spaces and not tabs, though ;-)
(In reply to comment #2) > (From update of attachment 226822 [details] [review]) > Just make sure to use spaces and not tabs, though Oops, I didn't notice you do not use tabs there. I'll replace them.
Created commit 686c3cf in gp master (3.6.1+)