[Pidgin] #14430: IBB receiver reads struct after free (at completion of transfer)

Pidgin trac at pidgin.im
Sun Jul 17 01:47:51 EDT 2011


#14430: IBB receiver reads struct after free (at completion of transfer)
------------------------+---------------------------------------------------
 Reporter:  darkrain42  |     Owner:  malu 
     Type:  defect      |    Status:  new  
Component:  XMPP        |   Version:  2.9.0
 Keywords:              |  
------------------------+---------------------------------------------------
 While trying to reproduce another file transfer situation, I ran across
 this in valgrind.



 {{{
 (22:40:44) jabber: Recv (ssl)(1397): <iq id='purple267a717a' type='set'
 to='me' from='my friend'><data xmlns='http://jabber.org/protocol/ibb'
 seq='1'
 sid='purple267a7176'>FTFfsOWgeAtyoZlOJ5pKHnKMsmU0lVYg8Kfq31U6qgKFhJQKwcEp6NoiadtBwBCtT2KcZSAUSaQTyKnJ8pRfLzCegkcsbdWFwZOULS1LSoaT47TJlOCJ7WyWqq9nlrcshoKCUIJzHM+Zsazd/e1pfWrgRmJ+4ZkCtoOYu7mW5nWTTo58GiBcihAfaNL2J2Bu0fMRasNjarY2EQMhw4gTRuq0tQSJhZTWijOnurlCdRrJhxwl+CIxq3ZqQsoWKSUneSQ4SSnbAz4BJTc9/ojkVORYG38DBMWSzG0oKbJEKYiE7Nd4wat12gFbc6wjwreheQFUypSEF1QcH8S0cQQw6PiDgHIlEK7hsK62iyUNQrqJlOCUESMe5AosdvxWcpSqMVtotrYFQuLkNhyU85wYVnRlhE27OsSptGczgXGVezTTziplMpqiZBJ57t1zkqUSG2qZlAxTsG41MwV2SU4xtA0lDLaRBolTddnxYpJSoEEWZJBsQd2ArRWC4YYVuSVhK0k6Gtmhqr8dJWNWh2EH1ZCrESA56sSLV8ElwKapGWyBtWdiZdsm8xtQMmy0BuOI4/hbVkxYFbakZawkDJj9Hc3Ls5fVCYQu7NkF5SwdjUG1JKbbAwWIUkt0AMTQL+zxTFmXr8xB7Mw5+odSbfCkr6Z3npijOSmLToiA9XKJDM4+CRdmThskL41Q1y59gvaMWJ2JGRKeyQszieDOdMdHlCSIfJ0qDNl3Z2a1VPXcg88vWitB+Jl2ULGNPhlvZFlTzQ1bKsDqRe1Qqc7LIZyY+Rkhgz1CRoaDasQZnoIUJfTl4Rsr8ZflF0uZ12vGNFd9QcXvJnCo0MQxPr4XhRi11mKR2GTqFtm3QrB6zj6a23VWUeuMIYRPbMW0KXCNRVGai7YmxyVokJT+FTF/6RcDfxe0/pEU5eznLIUKDrx1aIZmxIOkLOIxu0J+rQzCJdIjsu5AdlQb5BscLkYxQIXaJbkEiEE5vefVkETPXBjkyTT9CdvS9RMgZY1h9w3MxImz/U7A5Lx7JmPROFaMVNEoLuXxxyKeYicQqpgpMDSFd/yg2+CiX2Mh08rGJmMh1qGdPU0utHxUIkLJaMbvBwcYZPoZQG5DJKxyQdInw6m3Oh1vFK2bRGAv0NqheblBhDypUYfEpr1TMSd2KJX024kzh4AqGauEhayQlI+n0ONLTeP/4u5IpwoSD7LyxQA=</data></iq>
 (22:40:44) jabber: got 908 bytes of data on IBB stream
 (22:40:44) jabber: calling IBB callback for received data
 (22:40:44) jabber: about to write 908 bytes from IBB stream
 (22:40:44) xfer: Prpl (and UI) ready on ft 0x219548f0, so proceeding
 (22:40:44) jabber: jabber_si_xfer_free: destroying IBB session
 (22:40:44) jabber: IBB: destroying session 0x29e031a0 purple267a7176
 (22:40:44) jabber: Sending (ssl) (me): <iq type='set' id='purpleafaa4128'
 to='my friend'><close xmlns='http://jabber.org/protocol/ibb'
 sid='purple267a7176'/></iq>
 (22:40:44) jabber: jabber_si_xfer_free(): freeing jsx 0x21934360
 ==25203== Invalid read of size 2
 ==25203==    at 0x1DB12695: jabber_ibb_parse (ibb.c:455)
 ==25203==    by 0x1DB1C00A: jabber_process_packet (jabber.c:345)
 ==25203==    by 0x1DB28FA6: jabber_parser_element_end_libxml
 (parser.c:169)
 ==25203==    by 0x6345A92: ??? (in /usr/lib/libxml2.so.2.7.8)
 ==25203==    by 0x634C92F: ??? (in /usr/lib/libxml2.so.2.7.8)
 ==25203==    by 0x634E0A7: xmlParseChunk (in /usr/lib/libxml2.so.2.7.8)
 ==25203==    by 0x1DB2901C: jabber_parser_process (parser.c:279)
 ==25203==    by 0x1DB17E91: jabber_recv_cb_ssl (jabber.c:659)
 ==25203==    by 0x46E87D: pidgin_io_invoke (gtkeventloop.c:73)
 ==25203==    by 0x90044A2: g_main_context_dispatch (gmain.c:2440)
 ==25203==    by 0x9004C7F: g_main_context_iterate.clone.6 (gmain.c:3091)
 ==25203==    by 0x90052F1: g_main_loop_run (gmain.c:3299)
 ==25203==    by 0x679AA76: gtk_main (gtkmain.c:1256)
 ==25203==    by 0x435858: main (gtkmain.c:934)
 ==25203==  Address 0x29e031c2 is 34 bytes inside a block of size 112
 free'd
 ==25203==    at 0x4C268FE: free (in /usr/lib/valgrind/vgpreload_memcheck-
 amd64-linux.so)
 ==25203==    by 0x1DB2D7C6: jabber_si_xfer_free (si.c:1357)
 ==25203==    by 0x9319E11: purple_xfer_end (ft.c:1453)
 ==25203==    by 0x931A81A: do_transfer (ft.c:1262)
 ==25203==    by 0x1DB1268C: jabber_ibb_parse (ibb.c:442)
 ==25203==    by 0x1DB1C00A: jabber_process_packet (jabber.c:345)
 ==25203==    by 0x1DB28FA6: jabber_parser_element_end_libxml
 (parser.c:169)
 ==25203==    by 0x6345A92: ??? (in /usr/lib/libxml2.so.2.7.8)
 ==25203==    by 0x634C92F: ??? (in /usr/lib/libxml2.so.2.7.8)
 ==25203==    by 0x634E0A7: xmlParseChunk (in /usr/lib/libxml2.so.2.7.8)
 ==25203==    by 0x1DB2901C: jabber_parser_process (parser.c:279)
 ==25203==    by 0x1DB17E91: jabber_recv_cb_ssl (jabber.c:659)
 ==25203==    by 0x46E87D: pidgin_io_invoke (gtkeventloop.c:73)
 ==25203==    by 0x90044A2: g_main_context_dispatch (gmain.c:2440)
 ==25203==    by 0x9004C7F: g_main_context_iterate.clone.6 (gmain.c:3091)
 ==25203==    by 0x90052F1: g_main_loop_run (gmain.c:3299)
 ==25203==    by 0x679AA76: gtk_main (gtkmain.c:1256)
 ==25203==    by 0x435858: main (gtkmain.c:934)
 ==25203==
 }}}

-- 
Ticket URL: <http://developer.pidgin.im/ticket/14430>
Pidgin <http://pidgin.im>
Pidgin


More information about the Tracker mailing list