Bug 1447 - Accessing freed memory in libSM
Summary: Accessing freed memory in libSM
Status: RESOLVED FIXED
Alias: None
Product: xorg
Classification: Unclassified
Component: Lib/other (show other bugs)
Version: git
Hardware: x86 (IA32) Linux (All)
: high normal
Assignee: Adam Jackson
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2004-09-23 05:58 UTC by Mark McLoughlin
Modified: 2005-09-29 09:08 UTC (History)
5 users (show)

See Also:
i915 platform:
i915 features:

Attachments
patch against lib/SM/sm_process.c (1.10 KB, patch)
2004-09-23 05:59 UTC, Mark McLoughlin 		no flags Details | Splinter Review
View All

Description Mark McLoughlin 2004-09-23 05:58:57 UTC 
Library: libSM

The docs for the RegisterClient callback says:

  Call free on the previous_id pointer when it is no longer needed.

However, if the callback returns zero, SmsProcessMessage() still tries to access
previousId even though the callback should have freed it.

Problem shown up by some valgrinding on gnome-session by Kjatan Maraas.

Attaching what I think looks like a reasonable patch.
Comment 1 Mark McLoughlin 2004-09-23 05:59:42 UTC 
Created attachment 962 [details] [review]
patch against lib/SM/sm_process.c
Comment 2 Roland Mainz 2004-09-28 20:38:05 UTC 
Who can review the patch ?
Comment 3 Kjartan Maraas 2005-02-09 01:33:53 UTC 
This is still causing reports of invalid reads in gnome-session, could someone
take a look at this patch in the not too distant future?
Comment 4 Adam Jackson 2005-03-26 19:18:14 UTC 
this looks good to me.  i'll commit in a day or so if no one complains.
Comment 5 Adam Jackson 2005-04-03 11:24:44 UTC 
applied to head, closing.  thanks!
Comment 6 Kjartan Maraas 2005-09-13 01:25:44 UTC 
Reopening since I'm still seeing this in gnome-session:

==4915== Invalid read of size 1
==4915==    at 0x1BA1F847: _SmsProcessMessage (in /usr/X11R6/lib/libSM.so.6.0)
==4915==    by 0x1BA2BC7F: IceProcessMessages (in /usr/X11R6/lib/libICE.so.6.3)
==4915==    by 0x1B9611B5: process_ice_messages (gnome-ice.c:57)
==4915==    by 0x1C67495A: g_io_unix_dispatch (giounix.c:162)
==4915==    by 0x1C64E7A1: g_main_context_dispatch (gmain.c:1934)
==4915==    by 0x1C651575: g_main_context_iterate (gmain.c:2565)
==4915==    by 0x1C651A76: g_main_loop_run (gmain.c:2769)
==4915==    by 0x1BB97834: gtk_main (gtkmain.c:976)
==4915==    by 0x805412C: main (main.c:464)
==4915==  Address 0x1CED3FF8 is 0 bytes inside a block of size 9 free'd
==4915==    at 0x1B90237F: free (vg_replace_malloc.c:235)
==4915==    by 0x8051DDD: register_client (manager.c:889)
==4915==    by 0x1BA1F82C: _SmsProcessMessage (in /usr/X11R6/lib/libSM.so.6.0)
==4915==    by 0x1BA2BC7F: IceProcessMessages (in /usr/X11R6/lib/libICE.so.6.3)
==4915==    by 0x1B9611B5: process_ice_messages (gnome-ice.c:57)
==4915==    by 0x1C67495A: g_io_unix_dispatch (giounix.c:162)
==4915==    by 0x1C64E7A1: g_main_context_dispatch (gmain.c:1934)
==4915==    by 0x1C651575: g_main_context_iterate (gmain.c:2565)
==4915==    by 0x1C651A76: g_main_loop_run (gmain.c:2769)
==4915==    by 0x1BB97834: gtk_main (gtkmain.c:976)
==4915==    by 0x805412C: main (main.c:464)
Comment 7 Kjartan Maraas 2005-09-13 01:41:52 UTC 
Btw, this is current Fedora rawhide with gnome 2.12 built from CVS
Comment 8 Mark McLoughlin 2005-09-30 02:08:51 UTC 
Kjartan: no-one said anything about this being fixed in rawhide. The fix went
into CVS after 6.8.2

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.