[Pidgin] #2439: Double g_free() on msn_disconnection
Pidgin
trac at pidgin.im
Mon Aug 6 15:12:23 EDT 2007
#2439: Double g_free() on msn_disconnection
--------------------------+-------------------------------------------------
Reporter: snakeru | Type: defect
Status: new | Priority: minor
Component: pidgin (gtk) | Version: 2.1.0
Keywords: | Pending: 0
--------------------------+-------------------------------------------------
I am getting segfaults on msn disconnection.
When tried debugging with valgrind I have found the following bug (I am
using beta6, but 2.1.0 have this bug too):
{{{
==8729== Invalid read of size 4
==8729== at 0x461CAF0: msn_switchboard_destroy (switchboard.c:79)
==8729== by 0x461DA40: msn_switchboard_close (switchboard.c:1178)
==8729== by 0x46189C8: msn_session_disconnect (session.c:129)
==8729== by 0x4618D87: msn_session_set_error (session.c:333)
==8729== by 0x4614AE7: out_cmd (notification.c:338)
==8729== by 0x460B883: msn_cmdproc_process_cmd (cmdproc.c:313)
==8729== by 0x460B9D2: msn_cmdproc_process_cmd_text (cmdproc.c:335)
==8729== by 0x4618713: read_cb (servconn.c:445)
==8729== by 0x804D08D: gaim_gnt_io_invoke (gntgaim.c:183)
==8729== by 0x421B52B: (within /usr/lib/libglib-2.0.so.0.1000.3)
==8729== by 0x41F48D5: g_main_context_dispatch (in
/usr/lib/libglib-2.0.so.0.1000.3)
==8729== by 0x41F7995: (within /usr/lib/libglib-2.0.so.0.1000.3)
==8729== Address 0x4AB7640 is 48 bytes inside a block of size 84 free'd
==8729== at 0x401CFCF: free (vg_replace_malloc.c:235)
==8729== by 0x41FBEEB: g_free (in /usr/lib/libglib-2.0.so.0.1000.3)
==8729== by 0x461CBDF: msn_switchboard_destroy (switchboard.c:129)
==8729== by 0x461D643: disconnect_cb (switchboard.c:1005)
==8729== by 0x4617F2B: msn_servconn_disconnect (servconn.c:292)
==8729== by 0x46181D9: msn_servconn_got_error (servconn.c:159)
==8729== by 0x4618515: msn_servconn_write (servconn.c:370)
==8729== by 0x460B5B3: msn_cmdproc_send_quick (cmdproc.c:178)
==8729== by 0x461DA38: msn_switchboard_close (switchboard.c:1176)
==8729== by 0x46189C8: msn_session_disconnect (session.c:129)
==8729== by 0x4618D87: msn_session_set_error (session.c:333)
==8729== by 0x4614AE7: out_cmd (notification.c:338)
}}}
When translated from valgrind's stacks to human language this thing
happens:
msn_switchboard_close (switchboard.c:1176) tries to do
msn_cmdproc_send_quick(cmdproc, "OUT", NULL, NULL) but that function
discovers disconnection itself and does msn_switchboard_destroy. So two
lines down msn_switchboard_close performs msn_switchboard_destroy(swboard)
again. While there is some protection in msn_switchboard_destroy against
double deallocation in the form of swboard->destroying = TRUE it is still
possible that deallocated memory is already claimed and this field already
zeroed.
[[br]]
My lame idea for quick fixing is to set disconnect_cb to zero if we are
going to destroy switchboard ourselves. Though I didn't tried it and do
not sure if it will work correctly.
--
Ticket URL: <http://developer.pidgin.im/ticket/2439>
Pidgin <http://pidgin.im>
Pidgin
More information about the Tracker
mailing list