Ubuntu
directfb package

directfb 1.2.10 crashes on Release due to a double free

Bug #691440 reported by ArdyFalls on 2010-12-17

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	directfb (Ubuntu)	New	Undecided	Unassigned

Bug Description

when calling Release() on an IDirectFB object, it creates a signal 11 due to a double free. This occues on Kubuntu 10.10, amd64. This can be reproduced with the directfb tutorial application.

The call stack is
#0 __libc_free (mem=0x7ffff410e010) at malloc.c:3709
#1 0x00007ffff67f8012 in ?? () from /usr/lib/libX11.so.6
#2 0x00007ffff6b0a9fe in dfb_x11_close_window () from /usr/lib/directfb-1.2-9/systems/libdirectfb_x11.so
#3 0x00007ffff6b07584 in dfb_x11_destroy_window_handler () from /usr/lib/directfb-1.2-9/systems/libdirectfb_x11.so
#4 0x00007ffff6b08a00 in ?? () from /usr/lib/directfb-1.2-9/systems/libdirectfb_x11.so
#5 0x00007ffff71325a7 in fusion_call_execute () from /usr/lib/libfusion-1.2.so.9
#6 0x00007ffff6b06ed1 in ?? () from /usr/lib/directfb-1.2-9/systems/libdirectfb_x11.so
#7 0x00007ffff7bb473f in ?? () from /usr/lib/libdirectfb-1.2.so.9
#8 0x00007ffff7bb4f9a in dfb_layer_region_disable () from /usr/lib/libdirectfb-1.2.so.9
#9 0x00007ffff7bb5440 in ?? () from /usr/lib/libdirectfb-1.2.so.9
#10 0x00007ffff71348c2 in ?? () from /usr/lib/libfusion-1.2.so.9
#11 0x00007ffff713553c in fusion_ref_down () from /usr/lib/libfusion-1.2.so.9
#12 0x00007ffff7b6cb19 in IDirectFB_Destruct () from /usr/lib/libdirectfb-1.2.so.9
#13 0x00007ffff7b6cbba in ?? () from /usr/lib/libdirectfb-1.2.so.9
#14 0x0000000000402fbb in main (argc=1, argv=0x7fffffffe1d8) at main/linux/main.c:205

Revision history for this message

ArdyFalls (afalls) wrote on 2010-12-17:

Sample source code Edit (1.2 KiB, text/plain)

Attached sample source code.

Revision history for this message

ArdyFalls (afalls) wrote on 2011-06-14:

any update? anything needed to help with it?

Christophe (lsmgeb89) on 2012-07-19

security vulnerability:

no → yes

Revision history for this message

Tyler Hicks (tyhicks) wrote on 2012-07-27: Bug is not a security issue

Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find.

security vulnerability:

yes → no