Bugs item #1692546, was opened at 2007-04-01 14:21
Message generated for change (Comment added) made by sf-robot
You can respond by visiting: 

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: None
Group: None
>Status: Closed
Resolution: None
Priority: 5
Private: No
Submitted By: Tasci Synx (synx13)
Assigned to: Nathan Walp (faceprint)
Summary: Memory corruption when getting Jabber User Info

Initial Comment:
With the latest SVN of gaim as of today, I can reproduce a hideous crash simply 
by logging into a jabber account, then requesting the User Info of one of my 
buddies. Only with Jabber, requesting the User Info causes gaim to free an 
invalid pointer, causing it to crash immediately without a stack trace. 
Valgrind to the rescue, it reveals that there is a spot in 
libgaim/jabber/buddy.c that is freeing an invalid pointer. Only trouble is... 
the pointer is valid! I printed out the result of g_strdup that assigns the ID, 
and then the pointer to be freed, and their addresses and values were 
identical.  I'm fairly sure g_strdup always returns a pointer that may be used 
in g_free.

The problem is in libgaim/jabber/buddy.c on line 736, far as I can tell.  I'll 
attach my valgrind log (memcheck full) during a session where I caused this 
crash. I have a hunch the problem isn't here at all, but instead somewhere else 
where memory gets corrupted, and only on line 736 does the awful deed come to 
light.  Line 736 is ALWAYS reached by a pointer that can be freed, as I found 
when adding a gaim_debug_log("jabber","ID Remove %p:%s",l->data,l->data); 
around that g_free statement. Yet somehow glibc and valgrind both claim that an 
invalid pointer is being freed.  A very puzzling problem.

I should add that beta 6 does NOT have this problem. I can read the user infos 
just fine. In fact I haven't noticed this crash in SVN since at least last 
week, but I can't back that up. Anyone who knows the SVN version of beta 6 can 
attach a diff here if they so please.

...ok, final note: I can't attach my valgrind log since sourceforge thinks it's 
too big to attach.  Try getting it from http://synx.us.to/valgrind.log


>Comment By: SourceForge Robot (sf-robot)
Date: 2007-04-17 19:20

Logged In: YES 
Originator: NO

This Tracker item was closed automatically by the system. It was
previously set to a Pending status, and the original submitter
did not respond within 14 days (the time period specified by
the administrator of this Tracker).


Comment By: Nathan Walp (faceprint)
Date: 2007-04-02 21:53

Logged In: YES 
Originator: NO

This was fixed in SVN.  The code now looks like:

        if(!strcmp(id, l->data)) {
            gpointer tmp = l->data;
            jbi->ids = g_slist_remove(jbi->ids, l->data);     // current
line 736


Comment By: Ka-Hing Cheung (bsponline)
Date: 2007-04-01 16:38

Logged In: YES 
Originator: NO

duplicate of 1676403, but this one has a link to a valgrind trace...


You can respond by visiting: 

This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
Gaim-bugs mailing list

Reply via email to