← Back to team overview

desktop-packages team mailing list archive

  1. desktop-packages team
  2. Mailing list archive
  3. Message #17953

[Bug 852666] Re: gnome-panel reads free memory in panel_object_loader_stop_loading

  Thread PreviousDate PreviousThread Next 
** Tags added: oneiric

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to gnome-panel in Ubuntu.
https://bugs.launchpad.net/bugs/852666

Title:
  gnome-panel reads free memory in panel_object_loader_stop_loading

Status in “gnome-panel” package in Ubuntu:
  New

Bug description:
  Running valgrind on gnome-panel I noticed:

  ==4781== Invalid read of size 1
  ==4781==    at 0x4C29FEE: strcmp (mc_replace_strmem.c:538)
  ==4781==    by 0x45C297: panel_object_loader_stop_loading (panel-object-loader.c:125)
  ==4781==    by 0x45C947: panel_object_loader_idle_handler (panel-object-loader.c:241)
  ==4781==    by 0x7515B6C: g_main_context_dispatch (gmain.c:2441)
  ==4781==    by 0x7516367: g_main_context_iterate.isra.21 (gmain.c:3089)
  ==4781==    by 0x75168A1: g_main_loop_run (gmain.c:3297)
  ==4781==    by 0x55E389C: gtk_main (gtkmain.c:1367)
  ==4781==    by 0x4220EE: main (main.c:117)
  ==4781==  Address 0x17262f40 is 0 bytes inside a block of size 9 free'd
  ==4781==    at 0x4C282E0: free (vg_replace_malloc.c:366)
  ==4781==    by 0x45C12B: free_object_to_load (panel-object-loader.c:75)
  ==4781==    by 0x45C271: panel_object_loader_stop_loading (panel-object-loader.c:120)
  ==4781==    by 0x45C947: panel_object_loader_idle_handler (panel-object-loader.c:241)
  ==4781==    by 0x7515B6C: g_main_context_dispatch (gmain.c:2441)
  ==4781==    by 0x7516367: g_main_context_iterate.isra.21 (gmain.c:3089)
  ==4781==    by 0x75168A1: g_main_loop_run (gmain.c:3297)
  ==4781==    by 0x55E389C: gtk_main (gtkmain.c:1367)
  ==4781==    by 0x4220EE: main (main.c:117)
  ==4781== 

  The code is:

  void
  panel_object_loader_stop_loading (const char *id)
  {
          PanelObjectToLoad *object;
          GSList *l;

          for (l = panel_objects_loading; l; l = l->next) {
                  object = l->data;
                  if (g_strcmp0 (object->id, id) == 0)
                          break;
          }
          if (l != NULL) {
                  panel_objects_loading = g_slist_delete_link (panel_objects_loading, l);
                  free_object_to_load (object);
          }

          for (l = panel_objects_to_load; l; l = l->next) {
                  object = l->data;
                  if (g_strcmp0 (object->id, id) == 0)
                          break;
          }
          if (l != NULL) {
                  panel_objects_to_load = g_slist_delete_link (panel_objects_to_load, l);
                  free_object_to_load (object);
          }

          if (panel_objects_loading == NULL && panel_objects_to_load == NULL)
                  panel_object_loader_queue_initial_unhide_toplevels (NULL);
  }

  free_object_to_load (object) gets called only 5 lines before strcmp on
  the same object.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnome-panel/+bug/852666/+subscriptions

References

  Thread PreviousDate PreviousThread Next