python-cdb double free

Bug #157251 reported by Evan Klitzke on 2007-10-25
4
Affects Status Importance Assigned to Milestone
python-cdb (Ubuntu)
Medium
Daniel T Chen

Bug Description

Binary package hint: python-cdb

python 2.5.1-1ubuntu2
python-cdb 0.32-5.2ubuntu2

Python-cdb dies on a double free when looking up a key in a dictionary. Attaching a simple test case.

Evan Klitzke (eklitzke2) wrote :

I've attached a very minimal test case exhibiting the problem. The output when running the test case is as follows:

evan@thinkpad ~/Desktop $ python fail_cdb.py
bar
*** glibc detected *** python: free(): invalid pointer: 0xb7d847b8 ***
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6[0xb7e6cd65]
/lib/tls/i686/cmov/libc.so.6(cfree+0x90)[0xb7e70800]
/usr/lib/python2.5/site-packages/cdbmodule.so[0xb7d361cd]
python[0x80855f9]
python(PyDict_SetItem+0x6e)[0x8086f5e]
python(_PyModule_Clear+0x158)[0x8088bb8]
python(PyImport_Cleanup+0x153)[0x80dd0e3]
python(Py_Finalize+0xbf)[0x80e931f]
python(Py_Main+0x4d1)[0x8058ea1]
python(main+0x22)[0x80588c2]
/lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe0)[0xb7e19050]
python[0x8058831]
======= Memory map: ========
08048000-0813f000 r-xp 00000000 08:06 295700 /usr/bin/python2.5
0813f000-08164000 rwxp 000f6000 08:06 295700 /usr/bin/python2.5
08164000-081dd000 rwxp 08164000 00:00 0 [heap]
b7c00000-b7c21000 rwxp b7c00000 00:00 0
b7c21000-b7d00000 ---p b7c21000 00:00 0
b7d33000-b7d38000 r-xp 00000000 08:06 427539 /usr/lib/python2.5/site-packages/cdbmodule.so
b7d38000-b7d3a000 rwxp 00004000 08:06 427539 /usr/lib/python2.5/site-packages/cdbmodule.so
b7d3a000-b7d41000 r-xs 00000000 08:06 293822 /usr/lib/gconv/gconv-modules.cache
b7d41000-b7d80000 r-xp 00000000 08:06 359861 /usr/lib/locale/en_US.utf8/LC_CTYPE
b7d80000-b7e03000 rwxp b7d80000 00:00 0
b7e03000-b7f47000 r-xp 00000000 08:06 555518 /lib/tls/i686/cmov/libc-2.6.1.so
b7f47000-b7f48000 r-xp 00143000 08:06 555518 /lib/tls/i686/cmov/libc-2.6.1.so
b7f48000-b7f4a000 rwxp 00144000 08:06 555518 /lib/tls/i686/cmov/libc-2.6.1.so
b7f4a000-b7f4d000 rwxp b7f4a000 00:00 0
b7f4d000-b7f70000 r-xp 00000000 08:06 555522 /lib/tls/i686/cmov/libm-2.6.1.so
b7f70000-b7f72000 rwxp 00023000 08:06 555522 /lib/tls/i686/cmov/libm-2.6.1.so
b7f72000-b7f74000 r-xp 00000000 08:06 557627 /lib/tls/i686/cmov/libutil-2.6.1.so
b7f74000-b7f76000 rwxp 00001000 08:06 557627 /lib/tls/i686/cmov/libutil-2.6.1.so
b7f76000-b7f77000 rwxp b7f76000 00:00 0
b7f77000-b7f79000 r-xp 00000000 08:06 555521 /lib/tls/i686/cmov/libdl-2.6.1.so
b7f79000-b7f7b000 rwxp 00001000 08:06 555521 /lib/tls/i686/cmov/libdl-2.6.1.so
b7f7b000-b7f8f000 r-xp 00000000 08:06 557611 /lib/tls/i686/cmov/libpthread-2.6.1.so
b7f8f000-b7f91000 rwxp 00013000 08:06 557611 /lib/tls/i686/cmov/libpthread-2.6.1.so
b7f91000-b7f93000 rwxp b7f91000 00:00 0
b7f96000-b7fa0000 r-xp 00000000 08:06 555306 /lib/libgcc_s.so.1
b7fa0000-b7fa1000 rwxp 0000a000 08:06 555306 /lib/libgcc_s.so.1
b7fa1000-b7fa2000 rwxp b7fa1000 00:00 0
b7fa3000-b7fa5000 rwxp b7fa3000 00:00 0
b7fa5000-b7fbf000 r-xp 00000000 08:06 555076 /lib/ld-2.6.1.so
b7fbf000-b7fc1000 rwxp 00019000 08:06 555076 /lib/ld-2.6.1.so
bf825000-bf83b000 rw-p bf825000 00:00 0 [stack]
ffffe000-fffff000 r-xp 00000000 00:00 0 [vdso]
Aborted (core dumped)

Evan Klitzke (eklitzke2) wrote :

I am also seeing this bug on Feisty, using the previously attached test case.

Pulu Anau (panau) wrote :

Still occurs on Hardy, 64bit.

Found this link: http://www.notes.xythian.net/2007/10/24/python-cdb-032-52ubuntu2-with-python-25-causes-double-free-corruption-crash-on-dealloc/

His suggestion:
    Some other searching suggests that python-cdb’s use of PyMem_DEL is no longer recommended. I haven’t verified that this doesn’t cause other problems, but replacing cdbmodule.c’s use of PyMem_DEL with PyObject_Del (and the PyObject_NEW with _New, to use consistent naming) [seems to work].

I've done this with the source from upstream, fixes it perfectly, for me. Just FYI.

Chad Skeeters (goobsoft) wrote :

Occurs on Gutsy/32bit. Pulu's solution worked for me too.

Daniel T Chen (crimsun) on 2008-11-10
Changed in python-cdb:
assignee: nobody → crimsun
importance: Undecided → Medium
status: New → Confirmed
pilcrow (mjp) wrote :
Jackson Doak (noskcaj) wrote :

This package has been removed, therefore, won't fix

Changed in python-cdb (Ubuntu):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers