Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo

Close

#97 More GTKPlotData bug

open
nobody
None
5
2012-03-07
2012-03-07
RRaptor
No

In file gtkplotdata.c was detected a crash heap bug. It clear at use function gtk_plot_data_new_iterator and custom labels. In function gtk_plot_data_real_draw exist string

if(fl)
{
for(iter = 0; iter < npoints; iter++)
g_free(fl[iter]);
g_free(fl);
}
gtk_plot_data_set_labels(function, NULL);

But function gtk_plot_data_set_labels also contains code for clear label array
GtkPlotArray *
gtk_plot_data_set_labels(GtkPlotData *data,
gchar **labels)
{
GtkPlotArray *dim = NULL;
if(labels){
dim = gtk_plot_data_find_dimension(data, "labels");
if(dim){
gtk_plot_array_free(dim); // string for clear label array
dim->data.data_string = labels;
}
}
return dim;
}
Thus data label array freed twin in result come up heap corruption. For fix this bug need:
1. In function in file gtkplotdata.c insert two comment that labels array was freed in case param gchar **labels==NULL
GtkPlotArray *
gtk_plot_data_set_labels(GtkPlotData *data,
gchar **labels)
{
GtkPlotArray *dim = NULL;
// if(labels){
dim = gtk_plot_data_find_dimension(data, "labels");
if(dim){
gtk_plot_array_free(dim);
dim->data.data_string = labels;
}
// }
return dim;
}

2. In function gtk_plot_data_real_draw in same file insert one comment for do not delete label array secondary.
if(fl)
{
for(iter = 0; iter < npoints; iter++)
g_free(fl[iter]);
// g_free(fl);
}
gtk_plot_data_set_labels(function, NULL);

Discussion

  • RRaptor
    RRaptor
    2012-03-07

     
    Attachments
  • Fredy Paquet
    Fredy Paquet
    2012-06-03

    Hello rraptor

    After a code review, i'm not convinced that your path solves the problem. (gtkextra-3 branch)

    As far as i understand:

    1. in function gtk_plot_data_real_draw()

    line 2517: fl is declared and set to NULL
    line 2610: an array of npoints pointers gets allocated and assigned to fl
    line 2632: for all points the label gets strduped and assigned to fl[iter]
    line 2643: gtk_plot_data_set_labels(function, fl) will put (not copy) fl into dim
    line 2662: fl[iter] and fl gets freed -> which invalidates all pointers stored in dim

    one should completely remove the deallocation part for fl
    at lines 2662-2665 in gtk_plot_data_real_draw()
    because fl was put into dim with a call to gtk_plot_data_set_labels()

    2. gtk_plot_data_set_labels()
    calling gtk_plot_data_set_labels() with labels == NULL should clear all the data kept in dim
    the proposed patch seams to be ok,

    agree?