[gsettings] Invalid write of size 4 in readOption

Bug #1018602 reported by Sam Spilsbury on 2012-06-27
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Compiz
High
Sam Spilsbury
compiz (Ubuntu)
Undecided
Unassigned

Bug Description

==9194== Invalid write of size 4
==9194== at 0x4BE98E5: ??? (in /lib/i386-linux-gnu/libglib-2.0.so.0.3200.1)
==9194== by 0x4BEA6CA: g_variant_iter_loop (in /lib/i386-linux-gnu/libglib-2.0.so.0.3200.1)
==9194== by 0x4086C66: readOption (gsettings.c:336)
==9194== by 0x4086FB9: readSetting (gsettings.c:1077)
==9194== by 0x405BCB4: ccsReadPluginSettingsDefault (main.c:2793)
==9194== by 0x4059D40: ccsReadPluginSettings (main.c:2804)
==9194== by 0x404DB32: ccsLoadPluginSettings (compiz.cpp:3256)
==9194== by 0x40570B6: ccsGetPluginSettingsDefault (main.c:4677)
==9194== by 0x40BB4D2: (below main) (libc-start.c:226)
==9194== Address 0x63cac68 is 0 bytes after a block of size 0 alloc'd
==9194== at 0x402CE68: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==9194== by 0x4086C38: readOption (gsettings.c:328)
==9194== by 0x4086FB9: readSetting (gsettings.c:1077)
==9194== by 0x405BCB4: ccsReadPluginSettingsDefault (main.c:2793)
==9194== by 0x4059D40: ccsReadPluginSettings (main.c:2804)
==9194== by 0x404DB32: ccsLoadPluginSettings (compiz.cpp:3256)
==9194== by 0x40570B6: ccsGetPluginSettingsDefault (main.c:4677)
==9194== by 0x40BB4D2: (below main) (libc-start.c:226)
==9194==

Offending code:

     Bool *array = malloc (nItems * sizeof (Bool));
     Bool *arrayCounter = array;

     if (!array)
  break;

     /* Reads each item from the variant into the position pointed
      * at by arrayCounter */
     while (g_variant_iter_loop (iter, variantType, arrayCounter))
  *arrayCounter++;

     list = ccsGetValueListFromBoolArray (array, nItems, setting);
     free (array);

It isn't valid to read directly into arrayCounter as its assumed to be initialized memory in use by the iter, and will be freed.

Related branches

Changed in compiz:
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Sam Spilsbury (smspillaz)
milestone: none → 0.9.8.0
tags: added: gsettings
Changed in compiz:
importance: Medium → High
Daniel van Vugt (vanvugt) wrote :

Fix committed into lp:compiz at revision 3267

Changed in compiz:
status: In Progress → Fix Committed
Daniel van Vugt (vanvugt) wrote :

Fix reverted in revision 3268. Build failures.

Changed in compiz:
status: Fix Committed → Triaged
status: Triaged → In Progress
Daniel van Vugt (vanvugt) wrote :

(build failures due to simple conflicts that I failed to resolve correctly)

Daniel van Vugt (vanvugt) wrote :

Fix committed into lp:compiz at revision 3272

Changed in compiz:
status: In Progress → Fix Committed
Changed in compiz:
status: Fix Committed → Fix Released
Daniel van Vugt (vanvugt) wrote :

This bug was fixed in the package compiz - 1:0.9.8.0-0ubuntu1

---------------
compiz (1:0.9.8.0-0ubuntu1) quantal-proposed; urgency=low

  * debian/control, debian/rules:
    - enable gles on armel and armhf
    - use dh-translations rather than custom code

  [ Sam Spilsbury ]
  * Enable OpenGL ES building
    - Refresh debian/patches/workaround_broken_drivers.patch
    - Remove non-ported plugins from compiz-plugins
    - Add FindOpenGLES2.cmake to compiz-dev

  [ Timo Jyrinki ]
  * New upstream release.
    - Code to make compiz work on GLES. This includes several changes
      to the compiz API. (LP: #201342) (LP: #901097) (LP: #1004251)
      (LP: #1037710)
    - Draft first 0.9.8.0 NEWS and bump VERSION
  * debian/patches/compiz-package-gles2.patch:
    - Remove, obsoleted by the upstream GLES work
  * Disable plugins that don't work on pure GLES on armhf/armel:
    - bench, firepaint, mblur, showmouse, splash, showrepaint, td, widget
 -- Sebastien Bacher <email address hidden> Fri, 31 Aug 2012 22:59:50 +0200

Changed in compiz (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers