Xpad

crash when right-clicking on tray icon to display list of notes

  1. Series trunk
  2. Bug #490445
Bug #490445 reported by David Hull
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Xpad
Status tracked in Trunk
Trunk
Fix Released
Critical
Siergiej Riaguzow
Xpad 4.1

Bug Description

xpad crashes when I right-click on the tray icon to display the list of notes. Running xpad under valgrind, the following errors were reported. I have been seeing this bug since xpad 3.0, I believe.

$ valgrind xpad
==9446== Memcheck, a memory error detector.
==9446== Copyright (C) 2002-2008, and GNU GPL'd, by Julian Seward et al.
==9446== Using LibVEX rev 1884, a library for dynamic binary translation.
==9446== Copyright (C) 2004-2008, and GNU GPL'd, by OpenWorks LLP.
==9446== Using valgrind-3.4.1, a dynamic binary instrumentation framework.
==9446== Copyright (C) 2000-2008, and GNU GPL'd, by Julian Seward et al.
==9446== For more details, rerun with: -v
==9446==
==9446== Invalid read of size 1
==9446== at 0x4A07DA2: strlen (mc_replace_strmem.c:242)
==9446== by 0x408CD4: str_replace_tokens (fio.c:67)
==9446== by 0x41B399: xpad_tray_popup_menu_cb (xpad-tray.c:155)
==9446== by 0x38D2E0B81D: g_closure_invoke (in /lib64/libgobject-2.0.so.0.2000.5)
==9446== by 0x38D2E20B42: (within /lib64/libgobject-2.0.so.0.2000.5)
==9446== by 0x38D2E21ED8: g_signal_emit_valist (in /lib64/libgobject-2.0.so.0.2000.5)
==9446== by 0x38D2E22422: g_signal_emit (in /lib64/libgobject-2.0.so.0.2000.5)
==9446== by 0x3BDA5C655A: (within /usr/lib64/libgtk-x11-2.0.so.0.1600.6)
==9446== by 0x3BDA549B62: (within /usr/lib64/libgtk-x11-2.0.so.0.1600.6)
==9446== by 0x38D2E0B81D: g_closure_invoke (in /lib64/libgobject-2.0.so.0.2000.5)
==9446== by 0x38D2E20B42: (within /lib64/libgobject-2.0.so.0.2000.5)
==9446== by 0x38D2E21D6B: g_signal_emit_valist (in /lib64/libgobject-2.0.so.0.2000.5)
==9446== Address 0xb38bc28 is 56 bytes inside a block of size 119 free'd
==9446== at 0x4A0776F: realloc (vg_replace_malloc.c:429)
==9446== by 0x38D2A4005E: g_realloc (in /lib64/libglib-2.0.so.0.2000.5)
==9446== by 0x408CB9: str_replace_tokens (fio.c:66)
==9446== by 0x41B399: xpad_tray_popup_menu_cb (xpad-tray.c:155)
==9446== by 0x38D2E0B81D: g_closure_invoke (in /lib64/libgobject-2.0.so.0.2000.5)
==9446== by 0x38D2E20B42: (within /lib64/libgobject-2.0.so.0.2000.5)
==9446== by 0x38D2E21ED8: g_signal_emit_valist (in /lib64/libgobject-2.0.so.0.2000.5)
==9446== by 0x38D2E22422: g_signal_emit (in /lib64/libgobject-2.0.so.0.2000.5)
==9446== by 0x3BDA5C655A: (within /usr/lib64/libgtk-x11-2.0.so.0.1600.6)
==9446== by 0x3BDA549B62: (within /usr/lib64/libgtk-x11-2.0.so.0.1600.6)
==9446== by 0x38D2E0B81D: g_closure_invoke (in /lib64/libgobject-2.0.so.0.2000.5)
==9446== by 0x38D2E20B42: (within /lib64/libgobject-2.0.so.0.2000.5)

Revision history for this message
Siergiej Riaguzow (riaguzov) wrote :

Will check. Didn't happen for me in trunk though.

Changed in xpad:
importance: Undecided → Critical
assignee: nobody → Sergei Riaguzov (riaguzov)
Revision history for this message
David Hull (hull) wrote :

There was a use-after-free bug in str_replace_tokens(). See the attached patch for the fix.

Revision history for this message
Siergiej Riaguzow (riaguzov) wrote :

Applied David's patch in rev. 633

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.