© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
73416ba
(Get the code!)
So, I've looked through the code again, and I believe it is mishandling duplicate keys. I'm not sure if duplicate keys can find themselves in crash files, but if so, here's a theory:
value gets malloced here:
533: key = g_malloc ((token_p - p) + 1);
value and key get inserted into the hash table here:
575: g_hash_table_insert (hash_table, key, value ? value : g_strdup(""));
key is then reused here:
505: g_hash_table_insert (hash_table, key, value ? value : g_strdup(""));
If there is a duplicate key and it already exists in the hash table, g_hash_table_insert will free the passed key, which means that a use-after-free is happening on line 505. Later, then the hash table is destroyed here:
776: g_hash_
the stale key pointer is being double-freed.
If this code is fixed, we should also make sure the g_hash_table_steal functions on lines 488 and 496 are done _before_ value is realloced on lines 484 and 490. I'm not sure that causes any issue, but it's worth fixing.