28527 – segmentation fault in write_magic_cache

Bug 28527 - segmentation fault in write_magic_cache

Summary: segmentation fault in write_magic_cache

Status:	RESOLVED FIXED

Alias:	None

Product:	shared-mime-info
Classification:	Unclassified
Component:	general (show other bugs)
Version:	unspecified
Hardware:	x86-64 (AMD64) Linux (All)

Importance:	medium major
Assignee:	Shared Mime Info group
QA Contact:

URL:
Whiteboard:
Keywords:

Duplicates (1):	21679 (view as bug list)
Depends on:
Blocks:

Reported:	2010-06-13 16:55 UTC by Chris KOALI
Modified:	2010-12-01 09:15 UTC (History)
CC List:	1 user (show)

See Also:
i915 platform:
i915 features:

Attachments
patch (502 bytes, patch) 2010-06-13 16:55 UTC, Chris KOALI	Details \| Splinter Review
test case (540 bytes, text/xml) 2010-10-06 14:24 UTC, Chris KOALI	Details
View All

Description Chris KOALI 2010-06-13 16:55:09 UTC

Created attachment 36254 [details] [review]
patch

Hello,
Here valgrind reports:

[syn@archsyn shared-mime-info-0.71]$ valgrind --track-origins=yes ./update-mime-database -V /home/syn/.local/share/mime
==17155== Memcheck, a memory error detector
==17155== Copyright (C) 2002-2009, and GNU GPL'd, by Julian Seward et al.
==17155== Using Valgrind-3.5.0 and LibVEX; rerun with -h for copyright info
==17155== Command: ./update-mime-database -V /home/syn/.local/share/mime
==17155== 
Updating MIME database in /home/syn/.local/share/mime...

Wrote 14 strings at 2c - 18c

Wrote aliases at 18c - 190

Wrote parents at 190 - 1b4

Wrote literal globs at 1b4 - 1b8

Wrote suffix globs at 1b8 - 238

Wrote full globs at 238 - 23c

==17155== Invalid read of size 8
==17155==    at 0x408851: write_match (update-mime-database.c:2861)
==17155==    by 0x518D80A: g_ptr_array_foreach (in /usr/lib/libglib-2.0.so.0.2400.1)
==17155==    by 0x408D87: write_magic_cache (update-mime-database.c:2999)
==17155==    by 0x4099E4: write_cache (update-mime-database.c:3367)
==17155==    by 0x40A69F: main (update-mime-database.c:3699)
==17155==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==17155== 
==17155== 
==17155== Process terminating with default action of signal 11 (SIGSEGV)
==17155==  Access not within mapped region at address 0x0
==17155==    at 0x408851: write_match (update-mime-database.c:2861)
==17155==    by 0x518D80A: g_ptr_array_foreach (in /usr/lib/libglib-2.0.so.0.2400.1)
==17155==    by 0x408D87: write_magic_cache (update-mime-database.c:2999)
==17155==    by 0x4099E4: write_cache (update-mime-database.c:3367)
==17155==    by 0x40A69F: main (update-mime-database.c:3699)
==17155==  If you believe this happened as a result of a stack
==17155==  overflow in your program's main thread (unlikely but
==17155==  possible), you can try to increase the size of the
==17155==  main thread stack using the --main-stacksize= flag.
==17155==  The main thread stack size used in this run was 8388608.
==17155== 
==17155== HEAP SUMMARY:
==17155==     in use at exit: 34,338 bytes in 440 blocks
==17155==   total heap usage: 1,457 allocs, 1,017 frees, 696,093 bytes allocated
==17155== 
==17155== LEAK SUMMARY:
==17155==    definitely lost: 408 bytes in 18 blocks
==17155==    indirectly lost: 0 bytes in 0 blocks
==17155==      possibly lost: 2,110 bytes in 17 blocks
==17155==    still reachable: 31,820 bytes in 405 blocks
==17155==         suppressed: 0 bytes in 0 blocks
==17155== Rerun with --leak-check=full to see details of leaked memory
==17155== 
==17155== For counts of detected and suppressed errors, rerun with: -v
==17155== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 7 from 7)
Erreur de segmentation
-

A patch as attachment. It avoids segmentation fault and it looks like to work fine. File version 0.71, but same as git version.

Thanks

Comment 1 Bastien Nocera 2010-09-30 09:31:13 UTC

I cannot reproduce the warnings you see locally.

What's in your ~/.local/share/mime directory? Would there be any files that could cause problems?

Comment 2 Chris KOALI 2010-10-06 14:24:44 UTC

Created attachment 39242 [details]
test case

This file cashs update-mime-database

Comment 3 Chris KOALI 2010-10-06 14:29:35 UTC

(In reply to comment #1)
> I cannot reproduce the warnings you see locally.
> 
> What's in your ~/.local/share/mime directory? Would there be any files that
> could cause problems?

Hello,
To start, I am no more using this way to change a mime type association. So, few months ago, I wanted to change the mime type for "*.inc" files. First, here what I had:

$ xdg-mime query filetype test.inc
text/plain

and:
$ ./update-mime-database -V /home/syn/.local/share/mime
Updating MIME database in /home/syn/.local/share/mime...
Wrote 12 strings at 2c - 1bc
Wrote aliases at 1bc - 1c0
Wrote parents at 1c0 - 1c4
Wrote literal globs at 1c4 - 1c8
Wrote suffix globs at 1c8 - 2b4
Wrote full globs at 2b4 - 2b8
Wrote magic at 2b8 - 2c4
Wrote namespace list at 2c4 - 2c8
Wrote icons list at 2c8 - 30c
Wrote generic icons list at 30c - 310
Wrote types list at 310 - 340

Works fine.

Then, by using this:
http://library.gnome.org/admin/system-admin-guide/stable/mimetypes-modifying.html.en
and
http://library.gnome.org/admin/system-admin-guide/stable/mimetypes-source-xml.html.en

I have created a file Overrides.xml like that (see my new attachment). And I've updated the database:
$ ./update-mime-database -V /home/syn/.local/share/mime
Updating MIME database in /home/syn/.local/share/mime...
Wrote 17 strings at 2c - 204
Wrote aliases at 204 - 208
Wrote parents at 208 - 22c
Wrote literal globs at 22c - 230
Wrote suffix globs at 230 - 388
Wrote full globs at 388 - 38c
Erreur de segmentation

It crashs without error (even if my file isn't invalid, the program shouldn't crash).
By the way, despite the crash, if I do a query filetype, it works:
$ xdg-mime query filetype test.inc
application/x-php
$ xdg-mime query filetype test.tpl
text/html

My two news entry in database (*.inc and *.tpl) are really in the database, but due to the crash, the database is incomplete ("magic", "namespace list", "icons list", "generic icons list" and "types list" are missing).
Here my patch comes, I compile and run again:
$ ./update-mime-database -V /home/syn/.local/share/mime
Updating MIME database in /home/syn/.local/share/mime...
Wrote 17 strings at 2c - 204
Wrote aliases at 204 - 208
Wrote parents at 208 - 22c
Wrote literal globs at 22c - 230
Wrote suffix globs at 230 - 388
Wrote full globs at 388 - 38c
Wrote magic at 38c - 3b8
Wrote namespace list at 3b8 - 3bc
Wrote icons list at 3bc - 400
Wrote generic icons list at 400 - 414
Wrote types list at 414 - 44c

And of course, "xdg-mime query filetype" still returns the expected information.

By the way, I don't know how work "update-mime-database", nor "g_ptr_array_foreach". And I don't know why my patch works... but it works.

Can you try to reproduce it by using the attachment file ? (this file should be saved in directory ~/.local/share/mime/packages/).

Thanks.

Comment 4 Bastien Nocera 2010-10-13 17:46:43 UTC

Easier to fix with a reproducer.

commit eed6a8a94bd7842411ba343669d2e78c6ca8e782
Author: Bastien Nocera <hadess@hadess.net>
Date:   Thu Oct 14 01:42:48 2010 +0100

    Fix crasher with incomplete magic element
    
    https://bugs.freedesktop.org/show_bug.cgi?id=28527


Now your .xml file will show:
Error in type 'application/x-php' (in mime-db-tests/packages/bug28527.xml): Incomplete <magic> element.
Error in type 'text/html' (in mime-db-tests/packages/bug28527.xml): Incomplete <magic> element.

Thanks for the help.

Comment 5 Bastien Nocera 2010-12-01 09:15:33 UTC

*** Bug 21679 has been marked as a duplicate of this bug. ***

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.