|
|
e79fdb |
From 113d9c15ac9d1cc5f120d859d284ffb55f80d54e Mon Sep 17 00:00:00 2001
|
|
|
e79fdb |
From: Rui Matos <tiagomatos@gmail.com>
|
|
|
e79fdb |
Date: Mon, 24 Apr 2017 14:39:05 +0200
|
|
|
e79fdb |
Subject: [PATCH] atk-adaptor/bridge: Fix GList handling resulting in memory
|
|
|
e79fdb |
corruption
|
|
|
e79fdb |
|
|
|
e79fdb |
As pointed out by this valgrind log:
|
|
|
e79fdb |
|
|
|
e79fdb |
==2809== Thread 1:
|
|
|
e79fdb |
==2809== Invalid write of size 8
|
|
|
e79fdb |
==2809== at 0x18FCF001: remove_events (bridge.c:759)
|
|
|
e79fdb |
==2809== by 0x18FCF001: handle_event_listener_deregistered (bridge.c:788)
|
|
|
e79fdb |
==2809== by 0x18FCF001: signal_filter (bridge.c:827)
|
|
|
e79fdb |
==2809== by 0x200ECDFD: dbus_connection_dispatch (dbus-connection.c:4631)
|
|
|
e79fdb |
==2809== by 0x1FEBD0F4: ??? (in /usr/lib64/libatspi.so.0.0.1)
|
|
|
e79fdb |
==2809== by 0xFD8D4C8: g_main_dispatch (gmain.c:3201)
|
|
|
e79fdb |
==2809== by 0xFD8D4C8: g_main_context_dispatch (gmain.c:3854)
|
|
|
e79fdb |
==2809== by 0xFD8D817: g_main_context_iterate.isra.21 (gmain.c:3927)
|
|
|
e79fdb |
==2809== by 0xFD8DAE9: g_main_loop_run (gmain.c:4123)
|
|
|
e79fdb |
==2809== by 0xDFF84B4: gtk_main (in /usr/lib64/libgtk-3.so.0.2200.10)
|
|
|
e79fdb |
==2809== by 0x403DE0: main (in /usr/bin/evolution)
|
|
|
e79fdb |
==2809== Address 0x29f22540 is 16 bytes inside a block of size 24 free'd
|
|
|
e79fdb |
==2809== at 0x4C2ACDD: free (vg_replace_malloc.c:530)
|
|
|
e79fdb |
==2809== by 0xFD92BCD: g_free (gmem.c:189)
|
|
|
e79fdb |
==2809== by 0xFDAA518: g_slice_free1 (gslice.c:1136)
|
|
|
e79fdb |
==2809== by 0xFD89463: g_list_remove (glist.c:521)
|
|
|
e79fdb |
==2809== by 0x18FCF000: remove_events (bridge.c:759)
|
|
|
e79fdb |
==2809== by 0x18FCF000: handle_event_listener_deregistered (bridge.c:788)
|
|
|
e79fdb |
==2809== by 0x18FCF000: signal_filter (bridge.c:827)
|
|
|
e79fdb |
==2809== by 0x200ECDFD: dbus_connection_dispatch (dbus-connection.c:4631)
|
|
|
e79fdb |
==2809== by 0x1FEBD0F4: ??? (in /usr/lib64/libatspi.so.0.0.1)
|
|
|
e79fdb |
==2809== by 0xFD8D4C8: g_main_dispatch (gmain.c:3201)
|
|
|
e79fdb |
==2809== by 0xFD8D4C8: g_main_context_dispatch (gmain.c:3854)
|
|
|
e79fdb |
==2809== by 0xFD8D817: g_main_context_iterate.isra.21 (gmain.c:3927)
|
|
|
e79fdb |
==2809== by 0xFD8DAE9: g_main_loop_run (gmain.c:4123)
|
|
|
e79fdb |
==2809== by 0xDFF84B4: gtk_main (in /usr/lib64/libgtk-3.so.0.2200.10)
|
|
|
e79fdb |
==2809== by 0x403DE0: main (in /usr/bin/evolution)
|
|
|
e79fdb |
==2809== Block was alloc'd at
|
|
|
e79fdb |
==2809== at 0x4C29BE3: malloc (vg_replace_malloc.c:299)
|
|
|
e79fdb |
==2809== by 0xFD92ABD: g_malloc (gmem.c:94)
|
|
|
e79fdb |
==2809== by 0xFDA9EFD: g_slice_alloc (gslice.c:1025)
|
|
|
e79fdb |
==2809== by 0xFD89983: g_list_append (glist.c:261)
|
|
|
e79fdb |
==2809== by 0x18FCE7EE: add_event (bridge.c:80)
|
|
|
e79fdb |
==2809== by 0x18FCE7EE: add_event_from_iter (bridge.c:217)
|
|
|
e79fdb |
==2809== by 0x18FCEEF6: handle_event_listener_registered (bridge.c:721)
|
|
|
e79fdb |
==2809== by 0x18FCEEF6: signal_filter (bridge.c:825)
|
|
|
e79fdb |
==2809== by 0x200ECDFD: dbus_connection_dispatch (dbus-connection.c:4631)
|
|
|
e79fdb |
==2809== by 0x1FEBD0F4: ??? (in /usr/lib64/libatspi.so.0.0.1)
|
|
|
e79fdb |
==2809== by 0xFD8D4C8: g_main_dispatch (gmain.c:3201)
|
|
|
e79fdb |
==2809== by 0xFD8D4C8: g_main_context_dispatch (gmain.c:3854)
|
|
|
e79fdb |
==2809== by 0xFD8D817: g_main_context_iterate.isra.21 (gmain.c:3927)
|
|
|
e79fdb |
==2809== by 0xFD8DAE9: g_main_loop_run (gmain.c:4123)
|
|
|
e79fdb |
==2809== by 0xDFF84B4: gtk_main (in /usr/lib64/libgtk-3.so.0.2200.10)
|
|
|
e79fdb |
|
|
|
e79fdb |
This line:
|
|
|
e79fdb |
|
|
|
e79fdb |
list->prev = g_list_remove (list->prev, evdata);
|
|
|
e79fdb |
|
|
|
e79fdb |
writes over free'd memory since the list link pointed to by the 'list'
|
|
|
e79fdb |
pointer is free'd by g_list_remove(). We can use g_list_delete_link()
|
|
|
e79fdb |
instead to achieve the intended result (and not re-iterate the whole
|
|
|
e79fdb |
list) with less code overall.
|
|
|
e79fdb |
|
|
|
e79fdb |
Thanks to Milan Crha <mcrha@redhat.com> for investigating and
|
|
|
e79fdb |
providing the valgring log.
|
|
|
e79fdb |
|
|
|
e79fdb |
https://bugzilla.gnome.org/show_bug.cgi?id=781658
|
|
|
e79fdb |
---
|
|
|
e79fdb |
atk-adaptor/bridge.c | 17 ++++++-----------
|
|
|
e79fdb |
1 file changed, 6 insertions(+), 11 deletions(-)
|
|
|
e79fdb |
|
|
|
e79fdb |
diff --git a/atk-adaptor/bridge.c b/atk-adaptor/bridge.c
|
|
|
e79fdb |
index 7de84d4..0b2b736 100644
|
|
|
e79fdb |
--- a/atk-adaptor/bridge.c
|
|
|
e79fdb |
+++ b/atk-adaptor/bridge.c
|
|
|
e79fdb |
@@ -748,22 +748,17 @@ remove_events (const char *bus_name, const char *event)
|
|
|
e79fdb |
if (!g_strcmp0 (evdata->bus_name, bus_name) &&
|
|
|
e79fdb |
spi_event_is_subtype (evdata->data, remove_data))
|
|
|
e79fdb |
{
|
|
|
e79fdb |
+ GList *next;
|
|
|
e79fdb |
GList *events = spi_global_app_data->events;
|
|
|
e79fdb |
+
|
|
|
e79fdb |
g_strfreev (evdata->data);
|
|
|
e79fdb |
g_free (evdata->bus_name);
|
|
|
e79fdb |
g_slist_free_full (evdata->properties, free_property_definition);
|
|
|
e79fdb |
g_free (evdata);
|
|
|
e79fdb |
- if (list->prev)
|
|
|
e79fdb |
- {
|
|
|
e79fdb |
- GList *next = list->next;
|
|
|
e79fdb |
- list->prev = g_list_remove (list->prev, evdata);
|
|
|
e79fdb |
- list = next;
|
|
|
e79fdb |
- }
|
|
|
e79fdb |
- else
|
|
|
e79fdb |
- {
|
|
|
e79fdb |
- spi_global_app_data->events = g_list_remove (events, evdata);
|
|
|
e79fdb |
- list = spi_global_app_data->events;
|
|
|
e79fdb |
- }
|
|
|
e79fdb |
+
|
|
|
e79fdb |
+ next = list->next;
|
|
|
e79fdb |
+ spi_global_app_data->events = g_list_delete_link (events, list);
|
|
|
e79fdb |
+ list = next;
|
|
|
e79fdb |
}
|
|
|
e79fdb |
else
|
|
|
e79fdb |
{
|
|
|
e79fdb |
--
|
|
|
e79fdb |
2.9.3
|
|
|
e79fdb |
|