Bug 690091 – Avoid possible double free

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 690091 - Avoid possible double free


Summary:	Avoid possible double free


Status:	RESOLVED FIXED

Product:	gnome-control-center
Classification:	Core
Component:	Printers
Version:	3.6.x
Hardware:	Other Linux

Importance:	Normal normal
Target Milestone:	---
Assigned To:	Marek Kašík
QA Contact:	Control-Center Maintainers

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2012-12-12 11:41 UTC by Marek Kašík
Modified:	2012-12-12 12:36 UTC

See Also:
GNOME target:	---
GNOME version:	---

Attachments
printers: Avoid possible crash (1.38 KB, patch) 2012-12-12 11:41 UTC, Marek Kašík	committed	Details \| Review

Description Marek Kašík 2012-12-12 11:41:57 UTC

Created attachment 231344 [details] [review]
printers: Avoid possible crash

It can happen that "data->ppd_file_name" is unlinked and freed in install_missing_executables_cb() and again in get_missing_executables_cb().
You can reproduce this by adding new printer in Printers panel when runnnig gnome-control-center in valgrind and looking for errors.

==28050== 2 errors in context 6 of 6:
==28050== Invalid read of size 8
==28050==    at 0x13A90B3A: get_missing_executables_cb (pp-new-printer.c:1164)
==28050==    by 0x320B06DFF6: g_simple_async_result_complete (gsimpleasyncresult.c:775)
==28050==    by 0x320B0BE901: g_dbus_connection_call_done (gdbusconnection.c:5339)
==28050==    by 0x320B06DFF6: g_simple_async_result_complete (gsimpleasyncresult.c:775)
==28050==    by 0x320B06E0F8: complete_in_idle_cb (gsimpleasyncresult.c:787)
==28050==    by 0x3205C47A74: g_main_context_dispatch (gmain.c:2715)
==28050==    by 0x3205C47DA7: g_main_context_iterate.isra.24 (gmain.c:3290)
==28050==    by 0x3205C47E63: g_main_context_iteration (gmain.c:3351)
==28050==    by 0x320B09A7EB: g_application_run (gapplication.c:1624)
==28050==    by 0x408244: main (control-center.c:259)
==28050==  Address 0x1bedb548 is 24 bytes inside a block of size 48 free'd
==28050==    at 0x4A077A6: free (vg_replace_malloc.c:446)
==28050==    by 0x3205C4D7BE: g_free (gmem.c:252)
==28050==    by 0x13A90338: install_missing_executables_cb (pp-new-printer.c:940)
==28050==    by 0x13A90AEA: get_missing_executables_cb (pp-new-printer.c:1158)
==28050==    by 0x320B06DFF6: g_simple_async_result_complete (gsimpleasyncresult.c:775)
==28050==    by 0x320B0BE901: g_dbus_connection_call_done (gdbusconnection.c:5339)
==28050==    by 0x320B06DFF6: g_simple_async_result_complete (gsimpleasyncresult.c:775)
==28050==    by 0x320B06E0F8: complete_in_idle_cb (gsimpleasyncresult.c:787)
==28050==    by 0x3205C47A74: g_main_context_dispatch (gmain.c:2715)
==28050==    by 0x3205C47DA7: g_main_context_iterate.isra.24 (gmain.c:3290)
==28050==    by 0x3205C47E63: g_main_context_iteration (gmain.c:3351)
==28050==    by 0x320B09A7EB: g_application_run (gapplication.c:1624)
==28050==    by 0x408244: main (control-center.c:259)

The problem is present since 3.6. Attached patch fixes it for me.

Marek

Comment 1 Bastien Nocera 2012-12-12 12:04:58 UTC

Review of attachment 231344 [details] [review]:

Looks good.

Comment 2 Marek Kašík 2012-12-12 12:36:14 UTC

Comment on attachment 231344 [details] [review]
printers: Avoid possible crash

Thank you for the review. I've committed it to the master and 3.6.