With further examination, I notice that this bug only occurs when a
modem with 3gpp location capability is installed, and locate the bug at
src/modules/mm07.c (the same bug also exist in mm06.c). If (the context
could be located with the attached patch) the modem has 3gpp location
capability (otherwise, locationstring is NULL and the bug is not
triggered), locationstring will be a g_free()able pointer returned by
g_strdep(), but strsep() modifies its value, effectively making
locationstring never a g_free()able pointer anymore, and g_free()ing it
causes the program aborted.
This bug should be fixed with the attached patch.
diff -Nrup modem-manager-gui-0.0.19.1/src/modules/mm06.c modem-manager-gui-0.0.19.1.fix/src/modules/mm06.c
--- modem-manager-gui-0.0.19.1/src/modules/mm06.c 2018-04-06 22:43:09.000000000 +0800
+++ modem-manager-gui-0.0.19.1.fix/src/modules/mm06.c 2019-02-19 10:56:32.419076874 +0800
@@ -1581,10 +1581,11 @@ static gboolean mmgui_module_devices_upd
//3GPP location
strlength = 256;
locationstring = g_strdup(g_variant_get_string(locationdata, &strlength));
- device->loc3gppdata[0] = (guint)strtol(strsep(&locationstring, ","), NULL, 10);
- device->loc3gppdata[1] = (guint)strtol(strsep(&locationstring, ","), NULL, 10);
- device->loc3gppdata[2] = (guint)strtol(strsep(&locationstring, ","), NULL, 16);
- device->loc3gppdata[3] = (guint)strtol(strsep(&locationstring, ","), NULL, 16);
+ gchar* finger = locationstring;
+ device->loc3gppdata[0] = (guint)strtol(strsep(&finger, ","), NULL, 10);
+ device->loc3gppdata[1] = (guint)strtol(strsep(&finger, ","), NULL, 10);
+ device->loc3gppdata[2] = (guint)strtol(strsep(&finger, ","), NULL, 16);
+ device->loc3gppdata[3] = (guint)strtol(strsep(&finger, ","), NULL, 16);
g_free(locationstring);
g_variant_unref(locationdata);
g_debug("3GPP location: %u, %u, %4x, %4x", device->loc3gppdata[0], device->loc3gppdata[1], device->loc3gppdata[2], device->loc3gppdata[3]);
diff -Nrup modem-manager-gui-0.0.19.1/src/modules/mm07.c modem-manager-gui-0.0.19.1.fix/src/modules/mm07.c
--- modem-manager-gui-0.0.19.1/src/modules/mm07.c 2018-04-06 22:43:09.000000000 +0800
+++ modem-manager-gui-0.0.19.1.fix/src/modules/mm07.c 2019-02-19 10:56:32.419076874 +0800
@@ -1685,10 +1685,11 @@ static gboolean mmgui_module_devices_upd
/*3GPP location*/
strlength = 256;
locationstring = g_strdup(g_variant_get_string(locationdata, &strlength));
- device->loc3gppdata[0] = (guint)strtol(strsep(&locationstring, ","), NULL, 10);
- device->loc3gppdata[1] = (guint)strtol(strsep(&locationstring, ","), NULL, 10);
- device->loc3gppdata[2] = (guint)strtol(strsep(&locationstring, ","), NULL, 16);
- device->loc3gppdata[3] = (guint)strtol(strsep(&locationstring, ","), NULL, 16);
+ gchar *finger = locationstring;
+ device->loc3gppdata[0] = (guint)strtol(strsep(&finger, ","), NULL, 10);
+ device->loc3gppdata[1] = (guint)strtol(strsep(&finger, ","), NULL, 10);
+ device->loc3gppdata[2] = (guint)strtol(strsep(&finger, ","), NULL, 16);
+ device->loc3gppdata[3] = (guint)strtol(strsep(&finger, ","), NULL, 16);
g_free(locationstring);
g_variant_unref(locationdata);
g_debug("3GPP location: %u, %u, %4x, %4x\n", device->loc3gppdata[0], device->loc3gppdata[1], device->loc3gppdata[2], device->loc3gppdata[3]);
