! Please note that this is a snapshot of our old Bugzilla server, which is read only since May 29, 2020. Please go to gitlab.xfce.org for our new server !
invalid call to free()
Status:
RESOLVED: FIXED
Priority:
Medium
Severity:
normal
Product:
Libxfcegui4
Component:
General

Comments

Description Pavol Rusnak 2009-10-21 16:10:59 CEST 
I believe I've found a race condition during the first Xfce launch.

When there are no files in user's home directory xfwm4 crashes with these error:

*** glibc detected *** xfwm4: free(): invalid pointer: 0x080de928 ***
======= Backtrace: =========
/lib/libc.so.6[0xb754c50b]
/lib/libc.so.6(cfree+0xd9)[0xb7551049]
/usr/lib/libglib-2.0.so.0(g_free+0x36)[0xb77e3916]
/usr/lib/libxfce4kbd-private.so.5[0xb7ea22c7]
/usr/lib/libgobject-2.0.so.0(g_object_newv+0x9ca)[0xb787913a]
/usr/lib/libgobject-2.0.so.0(g_object_new_valist+0x34a)[0xb787966a]
/usr/lib/libgobject-2.0.so.0(g_object_new+0x70)[0xb7879780]
/usr/lib/libxfce4kbd-private.so.5(xfce_shortcuts_provider_new+0x36)[0xb7ea1b96]
xfwm4[0x807cceb]
xfwm4[0x806ae93]
/lib/libc.so.6(__libc_start_main+0xfe)[0xb74f5ace]
xfwm4[0x80503e1]

When I run xfwm4 from console it starts and any subsequents Xfce starts are OK (with xfwm4).

I tracked the problem deeper and the invalid free() call happens here:
http://git.xfce.org/xfce/libxfcegui4/tree/libxfce4kbd-private/xfce-shortcuts-provider.c?id=xfce-4.6.1#n299 (g_free() at line 299)

I'm no GLib expert, so I created a workaround and it works (no xfwm4 crash at first start) - see attachment. Is the fix OK or it should be fixed in another way? Thanks!
Comment 1 Pavol Rusnak 2009-10-21 16:12:52 CEST 
Created attachment 2623 
proposed fix
Comment 2 Pavol Rusnak 2009-10-21 17:41:59 CEST 
Seems that workaround doesn't work on i586 :-/
Comment 3 Pavol Rusnak 2009-10-22 11:46:27 CEST 
Created attachment 2624 
new proposed fix

This patch fixes the problem on both x86 and x86_64.
Comment 4 Olivier Fourdan editbugs 2009-10-22 13:09:25 CEST 
What is the rationale behind the fix?
Comment 5 Pavol Rusnak 2009-10-22 13:21:29 CEST 
This is not a fix, but rather a workaround. I think the code somehow messes outside of the allocated range and this is detected when freeing the pointer. Increasing array size prevents the corruption from happening. I would fix the code on proper place, but was not able to find it :-/
Comment 6 Nick Schermer editbugs 2009-10-22 13:26:02 CEST 
+2 should be enough (1 for the appended name and 1 for null terminate).
Comment 7 Pavol Rusnak 2009-10-22 13:30:44 CEST 
I thought so, but +2 didn't work on my i586 machine (mysteriously it worked on x86-64). +3 fixes both platforms.
Comment 8 Guido Berhoerster 2011-01-04 20:41:07 CET 
I just wasted time debugging this since it now has been carried over to libxfce4ui. Can you please get this buffer overflow fixed in both libxfcegui4 and libxfce4ui, +2 is enough since g_new uses the size of the type passed to it?
Comment 9 Nick Schermer editbugs 2011-01-04 21:27:21 CET 
Fixed in 4bded49 in libxfce4ui.

Bug #5892

Reported by:
Pavol Rusnak
Reported on: 2009-10-21
Last modified on: 2011-01-04

People

Assignee:
Xfce Bug Triage
CC List:
4 users

Version

Version:
4.6.1
Target Milestone:
---

Attachments

proposed fix (674 bytes, patch)
2009-10-21 16:12 CEST , Pavol Rusnak 		no flags
new proposed fix (674 bytes, patch)
2009-10-22 11:46 CEST , Pavol Rusnak 		no flags

Additional information