Bug 34291 - Invalid write of size 4
Summary: Invalid write of size 4
Status: RESOLVED FIXED
Alias: None
Product: Farstream
Classification: Unclassified
Component: Core (show other bugs)
Version: unspecified
Hardware: Other All
: medium normal
Assignee: Olivier Crête
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-02-15 05:08 UTC by Emilio Pozuelo Monfort
Modified: 2011-02-15 09:29 UTC (History)
0 users

See Also:
i915 platform:
i915 features:


Attachments
Fix off-by-one bug (865 bytes, patch)
2011-02-15 05:59 UTC, Emilio Pozuelo Monfort
Details | Splinter Review

Description Emilio Pozuelo Monfort 2011-02-15 05:08:13 UTC
I'm adding support for the telepathy Call interface in Empathy. I've started an audio call from Empathy to Gajim, and then I've started video from Gajim. At that point Empathy crashes. The backtrace looks corrupted, so I've got a valgrind log and farsight is doing an invalid write:


emilio@marte:~$ XDG_DATA_DIRS=/opt/empathy/share/:/usr/share/ EMPATHY_PERSIST=1 valgrind /opt/empathy/libexec/empathy-call 
==18037== Memcheck, a memory error detector
==18037== Copyright (C) 2002-2010, and GNU GPL'd, by Julian Seward et al.
==18037== Using Valgrind-3.6.0.SVN-Debian and LibVEX; rerun with -h for copyright info
==18037== Command: /opt/empathy/libexec/empathy-call
==18037== 
** (empathy-call:18037): DEBUG: Current video src caps are : video/x-raw-yuv, width=(int)320, height=(int)240, framerate=(fraction)15/1
(empathy-call:18037): empathy-DEBUG: Conference added
(empathy-call:18037): tp-fs-DEBUG: Delaying codec offer processing
NPARAMS: 3
(empathy-call:18037): tp-fs-DEBUG: updating local codecs
(empathy-call:18037): tp-fs-DEBUG: Requesting that the application start sending
(empathy-call:18037): tp-fs-DEBUG: Request to start sending succeeded
(empathy-call:18037): tp-fs-DEBUG: Codecs changed
(empathy-call:18037): tp-fs-DEBUG: updating local codecs
(empathy-call:18037): tp-fs-DEBUG: updating local codecs
(empathy-call:18037): tp-fs-DEBUG: Codecs changed
(empathy-call:18037): tp-fs-DEBUG: updating local codecs
==18037== Thread 10:
==18037== Invalid write of size 4
==18037==    at 0x28AC813F: agent_state_changed (fs-nice-stream-transmitter.c:1494)
==18037==    by 0xCCD414D: g_closure_invoke (gclosure.c:767)
==18037==    by 0xCCEC656: signal_emit_unlocked_R (gsignal.c:3252)
==18037==    by 0xCCEDCD5: g_signal_emit_valist (gsignal.c:2983)
==18037==    by 0xCCEE222: g_signal_emit (gsignal.c:3040)
==18037==    by 0x2CCF207C: agent_signal_component_state_change (agent.c:1312)
==18037==    by 0x2CCF6958: priv_update_check_list_state_for_ready (conncheck.c:1219)
==18037==    by 0x2CCF84BA: priv_map_reply_to_conn_check_request (conncheck.c:2124)
==18037==    by 0x2CCF9694: conn_check_handle_inbound_stun (conncheck.c:2912)
==18037==    by 0x2CCF609B: nice_agent_g_source_cb (agent.c:2307)
==18037==    by 0xD5632E1: g_main_context_dispatch (gmain.c:2440)
==18037==    by 0xD5679A7: g_main_context_iterate (gmain.c:3091)
==18037==  Address 0x16730058 is 0 bytes after a block of size 8 alloc'd
==18037==    at 0x4C2380C: calloc (vg_replace_malloc.c:467)
==18037==    by 0xD56C8C9: g_malloc0 (gmem.c:196)
==18037==    by 0x28AC64DB: fs_nice_stream_transmitter_newv (fs-nice-stream-transmitter.c:1328)
==18037==    by 0x28AC557E: fs_nice_transmitter_new_stream_transmitter (fs-nice-transmitter.c:463)
==18037==    by 0x1FBDA4D4: fs_rtp_session_new_stream (fs-rtp-session.c:2090)
==18037==    by 0x4E31605: fs_session_new_stream (fs-session.c:432)
==18037==    by 0x528BC58: _tf_call_content_get_fsstream_by_handle (call-content.c:1070)
==18037==    by 0x528ECFF: tf_call_stream_try_adding_fsstream (call-stream.c:330)
==18037==    by 0x528F422: got_stream_media_properties (call-stream.c:752)
==18037==    by 0x792C517: _tp_cli_dbus_properties_invoke_callback_get_all (tp-cli-generic-body.h:1099)
==18037==    by 0x792F0C6: tp_proxy_pending_call_idle_invoke (proxy-methods.c:153)
==18037==    by 0xD5632E1: g_main_context_dispatch (gmain.c:2440)
==18037== 

(empathy-call:18037): tp-yell-WARNING **: The new content '/org/freedesktop/Telepathy/Connection/gabble/jabber/emilio_2epozuelo_40collabora_2eco_2euk_2f5ab67c28/CallChannel4/Content_video_2' already exists in the call!
(empathy-call:18037): tp-fs-DEBUG: tf_call_content_dispose
(empathy-call:18037): tp-fs-DEBUG: tf_call_stream_dispose
==18037== Thread 1:
==18037== Invalid read of size 8
==18037==    at 0x7929A15: tp_proxy_get_bus_name (proxy.c:1319)
==18037==  Address 0x28 is not stack'd, malloc'd or (recently) free'd
==18037== 
==18037== 
==18037== Process terminating with default action of signal 11 (SIGSEGV)
==18037==  Access not within mapped region at address 0x28
==18037==    at 0x7929A15: tp_proxy_get_bus_name (proxy.c:1319)
==18037==  If you believe this happened as a result of a stack
==18037==  overflow in your program's main thread (unlikely but
==18037==  possible), you can try to increase the size of the
==18037==  main thread stack using the --main-stacksize= flag.
==18037==  The main thread stack size used in this run was 8388608.
==18037== 
==18037== HEAP SUMMARY:
==18037==     in use at exit: 14,153,771 bytes in 46,853 blocks
==18037==   total heap usage: 273,048 allocs, 226,195 frees, 91,080,471 bytes allocated
==18037== 
==18037== LEAK SUMMARY:
==18037==    definitely lost: 4,899 bytes in 19 blocks
==18037==    indirectly lost: 11,600 bytes in 363 blocks
==18037==      possibly lost: 5,708,624 bytes in 35,230 blocks
==18037==    still reachable: 8,428,648 bytes in 11,241 blocks
==18037==         suppressed: 0 bytes in 0 blocks
==18037== Rerun with --leak-check=full to see details of leaked memory
==18037== 
==18037== For counts of detected and suppressed errors, rerun with: -v
==18037== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 154 from 9)
Killed


The gdb backtrace is:


Program received signal SIGSEGV, Segmentation fault.
tp_proxy_get_bus_name (self=<value optimized out>) at proxy.c:1319
1319	  TpProxy *proxy = TP_PROXY (self);
(gdb) bt
#0  tp_proxy_get_bus_name (self=<value optimized out>) at proxy.c:1319
#1  0x00007fffe00ea080 in ?? ()
#2  0x00007fffe00ea070 in ?? ()
#3  0x00007fffe00ea070 in ?? ()
#4  0x00007fffef460a51 in thread_memory_from_self (mem_size=<value optimized out>, mem_block=0x7ffff7778ffb)
    at /tmp/buildd/glib2.0-2.28.0/./glib/gslice.c:441
#5  g_slice_free1 (mem_size=<value optimized out>, mem_block=0x7ffff7778ffb)
    at /tmp/buildd/glib2.0-2.28.0/./glib/gslice.c:883
#6  0x00007fffef460a51 in thread_memory_from_self (mem_size=<value optimized out>, mem_block=0x8c45e0)
    at /tmp/buildd/glib2.0-2.28.0/./glib/gslice.c:441
#7  g_slice_free1 (mem_size=<value optimized out>, mem_block=0x8c45e0)
    at /tmp/buildd/glib2.0-2.28.0/./glib/gslice.c:883
#8  0x00007fffffffe218 in ?? ()
#9  0x0000000000b6bb00 in ?? ()
#10 0x0000000000d27f20 in ?? ()
#11 0x00007ffff77877e5 in ?? () from /opt/telepathy-farstream/lib/libtelepathy-farstream.so.0
#12 0x00007ffff777957d in got_content_media_properties (proxy=<value optimized out>, 
    properties=<value optimized out>, error=<value optimized out>, user_data=0xa61760, 
    weak_object=<value optimized out>) at call-content.c:541
#13 0x00007ffff514a518 in _tp_cli_dbus_properties_invoke_callback_get_all (self=0x7fffe00ea340, error=0x0, 
    args=0xd3ab40, generic_callback=0x7ffff7779230 <got_content_media_properties>, user_data=<value optimized out>, 
    weak_object=0x7fffffffe140) at _gen/tp-cli-generic-body.h:1099
#14 0x00007ffff514d0c7 in tp_proxy_pending_call_idle_invoke (p=0xa616a0) at proxy-methods.c:153
#15 0x00007fffef4412e2 in g_main_dispatch (context=0x6f4470) at /tmp/buildd/glib2.0-2.28.0/./glib/gmain.c:2440
#16 g_main_context_dispatch (context=0x6f4470) at /tmp/buildd/glib2.0-2.28.0/./glib/gmain.c:3013
#17 0x00007fffef4459a8 in g_main_context_iterate (context=0x6f4470, block=<value optimized out>, 
    dispatch=<value optimized out>, self=<value optimized out>) at /tmp/buildd/glib2.0-2.28.0/./glib/gmain.c:3091
#18 0x00007fffef445eb5 in g_main_loop_run (loop=0x9f8f40) at /tmp/buildd/glib2.0-2.28.0/./glib/gmain.c:3299
#19 0x00007ffff1fbb81d in gtk_main () at /tmp/buildd/gtk+3.0-2.99.2/./gtk/gtkmain.c:1336
#20 0x00007fffeffd35ec in g_application_run (application=0x664900, argc=<value optimized out>, 
    argv=<value optimized out>) at /tmp/buildd/glib2.0-2.28.0/./gio/gapplication.c:1241
#21 0x0000000000419cce in main (argc=1, argv=0x7fffffffe5f8) at empathy-call.c:165
(gdb) quit


I'm most likely doing something wrong in empathy-call, but farsight shouldn't do an invalid write anyway.
Comment 1 Emilio Pozuelo Monfort 2011-02-15 05:59:43 UTC
Created attachment 43380 [details] [review]
Fix off-by-one bug

The attached patch fix the invalid write. I can't reproduce the invalid read or the crash after restarting empathy...
Comment 2 Olivier Crête 2011-02-15 06:08:07 UTC
I guess this is a nasty bug, I'll merge it and make a new release...
Comment 3 Olivier Crête 2011-02-15 09:29:27 UTC
Fixed in 0.0.25


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.