GNOME Bugzilla – Bug 762490
Add bounds check so that the code doesn't segfault
Last modified: 2016-02-27 10:09:51 UTC
I got a segfault on Polari and the stack trace pointed to this bit of code and it turned out that removed->len was 1 and added->len and added->pdata was NULL.
Created attachment 321896 [details] [review] Add bounds check so that the code doesn't segfault
Mmh, do you have an example of when that happens? It seems pretty odd that a *rename* operation can be from or to "nothing". (This seems relevant for deciding of whether to ignore the operation like in your patch, or emit the signal with "" as fallback)
I'm not a hundred percent sure what exactly happened as Polari was in the background when it happened, but at the time there was some activity for me on Freenode related to joining #linux vs ##linux and some automation thereof.
The only clear example I can give is a 200MB core file that I can provide on request. I tried to make sense of it but didn't get anywhere meaningful. Emitting "" as such won't work (right?) as the data emitted is supposed to be a contact, not a string.
(In reply to Daniel Landau from comment #4) > Emitting "" as such won't work (right?) as the data emitted is supposed to > be a contact, not a string. Yeah, I thought we were emitting strings, sorry. I did some digging around, and it looks like we have two options: - empathy does indeed something similar to your patch[0], so we could follow that (a warning as in their code looks useful though) - pick up the new contact from local/remote_pending if necessary, which is what apparently is going on here[1] The first option is a tad bit easier (just add a warning to your patch), but I'm a bit worried that this could mess up contact tracking we'll need to implement stuff like bug 760853. So I prefer the second option, or possibly a combination of the two: GPtrArray *new_handle; if (added->len > 0) new_handle = added; else if (local_pending->len > 0) new_handle = local_pending; else new_handle = remove_pending; if (removed->len != 1 || new_handle->len != 1) g_warning ("RENAMED with %u added, %u removed (expected 1, 1)", new_handle->len, removed->len); else g_signal_emit(...); break; [0] https://git.gnome.org/browse/empathy/tree/libempathy/empathy-tp-chat.c#n844 [1] https://cgit.freedesktop.org/telepathy/telepathy-idle/tree/src/idle-muc-channel.c#n1130
Reading https://telepathy.freedesktop.org/doc/book/sect.channel.groups.html I don't get the feeling that we should handle local_pending or remove_pending in any way here.
Created attachment 322518 [details] [review] Add bounds check so that the code doesn't segfault I added a warning.
OK, let's go with this ... Attachment 322518 [details] pushed as 6524012 - Add bounds check so that the code doesn't segfault