Package: libsoup2.4 Version: 2.29.5-2 Severity: important Tags: patch User: ubuntu-de...@lists.ubuntu.com Usertags: origin-ubuntu
*** Please type your report below this line ***
libsoup2.4 crash because the return value of g_byte_array_append is ignored.
= Backtrace =
Core was generated by `/usr/lib/mojito/mojito-core'.
Program terminated with signal 11, Segmentation fault.
#0 0x004d30fc in ?? () from /lib/tls/i686/cmov/libc.so.6
(gdb) bt
#0 0x004d30fc in ?? () from /lib/tls/i686/cmov/libc.so.6
#1 0x004d54b2 in ?? () from /lib/tls/i686/cmov/libc.so.6
#2 0x004d8319 in ?? () from /lib/tls/i686/cmov/libc.so.6
#3 0x004d882d in realloc () from /lib/tls/i686/cmov/libc.so.6
#4 0x003f31cf in g_realloc () from /lib/libglib-2.0.so.0
#5 0x003c516b in ?? () from /lib/libglib-2.0.so.0
#6 0x003c56d9 in g_array_append_vals () from /lib/libglib-2.0.so.0
#7 0x003c5760 in g_byte_array_append () from /lib/libglib-2.0.so.0
#8 0x001a8ab9 in read_metadata (msg=<value optimized out>, to_blank=<value
optimized out>) at
soup-message-io.c:318
#9 0x001a8dec in io_read (sock=0x89fd730, msg=0x89db280) at
soup-message-io.c:809
#10 0x001a5f73 in soup_message_send_request (req=0x89db280, sock=0x89fd730,
conn=0x89cdb80,
is_via_proxy=0)
at soup-message-client-io.c:150
#11 0x00198764 in soup_connection_send_request (conn=0x89cdb80, req=0x89db280)
at soup-connection.c:677
#12 0x001b0cc4 in soup_session_send_queue_item (session=0x89b3480,
item=0x8aa2c30, conn=0x89cdb80)
at soup-session.c:1162
#13 0x001b3a7b in process_queue_item (item=<value optimized out>) at
soup-session-sync.c:263
#14 0x001b3e91 in queue_message_thread (data=0x8aa2c30) at
soup-session-sync.c:285
#15 0x0041536f in ?? () from /lib/libglib-2.0.so.0
#16 0x00eb480e in start_thread () from /lib/tls/i686/cmov/libpthread.so.0
#17 0x005347ee in clone () from /lib/tls/i686/cmov/libc.so.6
= Code =
== soup-message-io.c ==
...
316: switch (status) {
317: case SOUP_SOCKET_OK:
318: g_byte_array_append (io->read_meta_buf, read_buf,
nread);
...
It is because the space of io->read_meta_buf is not enough to append read_buf
into it. So an realloc
is called inside g_byte_array_append(). The new pointer will be returned by
g_byte_array_append().
So it's better to use
io->read_meta_buf = g_byte_array_append(io->read_meta_buf, read_buf, nread);
I use
grep g_byte_array_append -r .
in source tree and found there are more than here so it's better to re-write
all g_byte_array_append
call by this way.
I attached a patch to fix this bug.
Thanks,
Paul
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.30-2-686 (SMP w/1 CPU core)
Locale: LANG=zh_TW.UTF-8, LC_CTYPE=zh_TW.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Index: libsoup2.4-2.29.5/libsoup/soup-message-io.c
===================================================================
--- libsoup2.4-2.29.5.orig/libsoup/soup-message-io.c 2010-01-20 00:44:02.967626959 +0800
+++ libsoup2.4-2.29.5/libsoup/soup-message-io.c 2010-01-20 00:44:31.379630629 +0800
@@ -315,7 +315,7 @@
NULL, &error);
switch (status) {
case SOUP_SOCKET_OK:
- g_byte_array_append (io->read_meta_buf, read_buf, nread);
+ io->read_meta_buf = g_byte_array_append (io->read_meta_buf, read_buf, nread);
break;
case SOUP_SOCKET_ERROR:
signature.asc
Description: OpenPGP digital signature
