#1080 segfault opening attachment due to incorrect g_free()

v1.8
closed-fixed
None
5
2013-07-22
2013-05-31
No

I just started using Liferea (1.8.14), and when trying to open an attachment in the example feed it crashed. The code seems unchanged in the git version so I think the bug is still there. Steps to reproduce:

  1. Open clean install of Liferea, go to example feed 'Free Music Archive'
  2. Pick an item with an attachment
  3. Double-click on the attachment
  4. Liferea crashes

Looking at the code, it seems the crash is caused in enclosure_list_view.c. At line 485 g_free() is called to free "typestr", however typestr is only sometimes allocated with g_strdup(). Sometimes it contains the return value of strrchr() which cannot be freed, hence the crash.

Here is the --debug-all output when run through GDB:

CACHE: url:http://freemusicarchive.org/music/download/c197ce0f47e9a7a942365be2f0acb5754aa15e41, mime:audio/mpeg

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff114f2c4 in free () from /usr/lib/libc.so.6
(gdb) bt

0 0x00007ffff114f2c4 in free () from /usr/lib/libc.so.6

1 0x0000000000458b0a in on_popup_open_enclosure (callback_data=0xa571e0) at enclosure_list_view.c:485

2 0x0000000000457a5b in on_enclosure_list_activate (treeview=0x8768e0, path=0xa7a960, column=0x929a60, user_data=0x9f5940)

at enclosure_list_view.c:145

3 0x00007ffff19aa458 in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0

4 0x00007ffff19bb40d in ?? () from /usr/lib/libgobject-2.0.so.0

5 0x00007ffff19c3219 in g_signal_emit_valist () from /usr/lib/libgobject-2.0.so.0

6 0x00007ffff19c3462 in g_signal_emit () from /usr/lib/libgobject-2.0.so.0

7 0x00007ffff484f5c4 in ?? () from /usr/lib/libgtk-x11-2.0.so.0

8 0x00007ffff47584c5 in ?? () from /usr/lib/libgtk-x11-2.0.so.0

9 0x00007ffff19aa458 in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0

10 0x00007ffff19bb1cb in ?? () from /usr/lib/libgobject-2.0.so.0

11 0x00007ffff19c2e52 in g_signal_emit_valist () from /usr/lib/libgobject-2.0.so.0

12 0x00007ffff19c3462 in g_signal_emit () from /usr/lib/libgobject-2.0.so.0

13 0x00007ffff4867624 in ?? () from /usr/lib/libgtk-x11-2.0.so.0

14 0x00007ffff4756c74 in gtk_propagate_event () from /usr/lib/libgtk-x11-2.0.so.0

15 0x00007ffff475702b in gtk_main_do_event () from /usr/lib/libgtk-x11-2.0.so.0

16 0x00007ffff43d2afc in ?? () from /usr/lib/libgdk-x11-2.0.so.0

17 0x00007ffff16e3e46 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0

18 0x00007ffff16e4198 in ?? () from /usr/lib/libglib-2.0.so.0

19 0x00007ffff16e459a in g_main_loop_run () from /usr/lib/libglib-2.0.so.0

20 0x00007ffff4756117 in gtk_main () from /usr/lib/libgtk-x11-2.0.so.0

21 0x0000000000434716 in main (argc=1, argv=0x7fffffffe288) at main.c:314

(gdb) fr 1

1 0x0000000000458b0a in on_popup_open_enclosure (callback_data=0xa571e0) at enclosure_list_view.c:485

485 g_free (typestr);
(gdb) print typestr
$1 = (gchar *) 0xa57222 "/c197ce0f47e9a7a942365be2f0acb5754aa15e41"

Discussion

  • Adam Nielsen

    Adam Nielsen - 2013-05-31

    P.S. Sorry for the bad formatting, last time I used SF it didn't do that and I can't find an edit button to fix my mistake...

     
  • Lars Windolf

    Lars Windolf - 2013-06-09
    • status: open --> open-fixed
    • assigned_to: Lars Windolf
     
  • Lars Windolf

    Lars Windolf - 2013-06-09

    Thanks for reporting this bug! Fixed in git for 1.8 and 1.10. Soon to be released.

     
  • Lars Windolf

    Lars Windolf - 2013-07-22
    • status: open-fixed --> closed-fixed
     
  • Lars Windolf

    Lars Windolf - 2013-07-22

    Released for both 1.8 and 1.10