[Gaim-patches] [ gaim-Patches-1042094 ] g_strdup_vprintf / _g_gnulib_vasnprintf safety

[SourceForge.net <no...@so...>]

Patches item #1042094, was opened at 2004-10-07 05:10
Message generated for change (Comment added) made by thekingant
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=300235&aid=1042094&group_id=235

Category: None
Group: None
>Status: Closed
>Resolution: Accepted
Priority: 5
Submitted By: Evan Schoenberg (evands)
Assigned to: Mark Doliner (thekingant)
Summary: g_strdup_vprintf / _g_gnulib_vasnprintf safety

Initial Comment:
I've been seeing some odd occasional crashes in printf()-style 
calls. 3 examples follow:

-------

0   libSystem.B.dylib                   0x90006e40 strlen + 0x20
1   Libgaim                             0x04b9759c _g_gnulib_vasnprintf 
+ 0x9ac
2   Libgaim                             0x04b932c8 _g_gnulib_vsnprintf + 
0x4c
3   Libgaim                             0x04b60590 g_vsnprintf + 0xf0
4   Libgaim                             0x04b6021c g_snprintf + 0x60
5   Libgaim                             0x04ad34e8 gaim_normalize + 
0x26c
6   Libgaim                             0x04a801a4 gaim_parse_oncoming 
+ 0x33c
7   Libgaim                             0x04a63a58 buddychange + 0xb8
8   Libgaim                             0x04a63b5c snachandler + 0xb4
9   Libgaim                             0x04a901f8 consumesnac + 0x170
10  Libgaim                             0x04a90e00 aim_rxdispatch + 
0xe8
11  Libgaim                             0x04a7bc2c oscar_callback + 
0x1a8

-or-

0   libSystem.B.dylib                   0x90006e40 strlen + 0x20
1   Libgaim                             0x051975b4 _g_gnulib_vasnprintf 
+ 0x9ac
2   Libgaim                             0x051932e0 _g_gnulib_vsnprintf + 
0x4c
3   Libgaim                             0x051605a8 g_vsnprintf + 0xf0
4   Libgaim                             0x05160234 g_snprintf + 0x60
5   Libgaim                             0x050d3500 gaim_normalize + 
0x26c
6   Libgaim                             0x0501bdd4 gaim_find_buddies + 
0x148
7   Libgaim                             0x050202f4 
gaim_buddy_icon_destroy + 0xfc
8   Libgaim                             0x05020f5c 
gaim_buddy_icons_set_for_user + 0x104
9   Libgaim                             0x05081b44 incomingim_chan2 + 
0x754
10  Libgaim                             0x05083268 
gaim_parse_incoming_im + 0x13c
11  Libgaim                             0x05071f4c incomingim_ch2 + 
0x7dc
12  Libgaim                             0x050722b4 incomingim + 0x168
13  Libgaim                             0x050731ac snachandler + 0xd4
14  Libgaim                             0x05090210 consumesnac + 
0x170
15  Libgaim                             0x05090e18 aim_rxdispatch + 
0xe8
16  Libgaim                             0x0507bc44 oscar_callback + 
0x1a8

-or-

0   libSystem.B.dylib                   0x90006e40 strlen + 0x20
1   Libgaim                             0x04dd55b4 _g_gnulib_vasnprintf 
+ 0x9ac
2   Libgaim                             0x04dd13cc _g_gnulib_vasprintf + 
0x44
3   Libgaim                             0x04d9e65c g_vasprintf + 0x94
4   Libgaim                             0x04da148c g_strdup_vprintf + 
0x44
5   Libgaim                             0x04da1500 g_strdup_printf + 
0x58
6   Libgaim                             0x04d45a20 plain_msg + 0x130
7   Libgaim                             0x04d47cd8 
msn_cmdproc_process_msg + 0xd0
8   Libgaim                             0x04d45708 msg_cmd_post + 
0x80
9   Libgaim                             0x04d47bf4 
msn_cmdproc_process_payload + 0xdc
10  Libgaim                             0x04d3bf00 read_cb + 0x340

---------

I can reproduce the traceback by sending a NULL argument to 
g_snprintf() like so...

static char buf[10];
g_snprintf(buf, sizeof(buf), "%s", NULL);

...which leads me to think that these crashes are coming from 
NULL arguments in unexpected locations. Attached is  patch which 
should guard against this possibility in 3 places in oscar.c and 1 
place in jabber's buddy.c - the 4 most common places I've seen 
this crash.  They certainly shouldn't hurt anything... I'd definitely 
appreciate the thoughts of anyone who can concoct a better 
explanation.  I'm using the latest stable release of GLib, GLib
-2.4.6.



----------------------------------------------------------------------

>Comment By: Mark Doliner (thekingant)
Date: 2005-01-31 22:49

Message:
Logged In: YES 
user_id=20979

I made changes similar to those in the oscar half of this a
few weeks ago.

----------------------------------------------------------------------

Comment By: Nathan Walp (faceprint)
Date: 2005-01-02 20:58

Message:
Logged In: YES 
user_id=17471

If the jabber portion of this actually does any real-life
good, then there's something horribly wrong which really
needs to be fixed.

Mark, have fun with the rest of this.

----------------------------------------------------------------------

Comment By: Luke Schierer (lschiere)
Date: 2004-10-07 08:02

Message:
Logged In: YES 
user_id=28833

Nathan, most of this patch is in oscar, but Mark is out of
town. can you look at this? (part of it is jabber). 

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=300235&aid=1042094&group_id=235