Bug#510724: libglib2.0-0: Function 'g_main_context_check' crashes if no input available

Sun Jan 4 14:59:36 UTC 2009

Package: libglib2.0-0
Version: 2.16.6-1
Severity: normal
Tags: patch

Hi

The function 'g_main_context_check' polls input sources for events. The
code contains a race condition such that the function generates a
segfault if one of the sources does not have any events. A stack trace
is attached.

The bug is that the while-expression counts the number of processed
array elements. This number is only increased if an element has an
event. A simple patch to increment on each iteration is attached.

The bug is triggered like this: The function walks over an array of
GPollFDs and an internal linked list. The array elements are tested for
events. If one of the elements does not have any events, the array and
the list get out of sync.

The bug is that the iterating while-expression depends on the number of
processed array elements. This number is only increased if an element
has an event. A simple patch to increment on each iteration is attached.

The bug can lead to dereferencing a NULL-pointer while walking over the
list's last element. In some situations the function might succeed but
return invalid states in the 'revents' field of some array elements.

I found this bug by starting Evolution and immediately clicking 
the button for fetching emails. This crashed Evolution but I can't
reproduce it predictably.

Regards, Thomas

-- System Information:
Debian Release: 5.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libglib2.0-0 depends on:
ii  libc6                         2.7-16     GNU C Library: Shared
libraries
ii  libpcre3                      7.6-2.1    Perl 5 Compatible Regular
Expressi
ii  libselinux1                   2.0.65-5   SELinux shared libraries

Versions of packages libglib2.0-0 recommends:
pn  libglib2.0-data               <none>     (no description available)

libglib2.0-0 suggests no packages.

-- no debconf information

-- 
GnuPG:          https://tdz.users.sourceforge.net/tdz.asc
Fingerprint:    16FF F599 82F8 E5AA 18C6 5220 D9DA D7D4 4EF1 DF08
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gmain.c.diff
Type: text/x-patch
Size: 280 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-gnome-maintainers/attachments/20090104/71a99f76/attachment-0001.bin 
-------------- next part --------------
Core was generated by `evolution --component=mail'.
Program terminated with signal 11, Segmentation fault.
[New process 4442]
[New process 4528]
[New process 4509]
[New process 4508]
[New process 4506]
[New process 4473]
#0  IA__g_main_context_check (context=0xb1b340, max_priority=0x7fffffff, fds=0x12fef80, n_fds=0x5) at /build/buildd/glib2.0-2.16.6/glib/gmain.c:2491

warning: Source file is more recent than executable.
2491	      if (pollrec->fd->events)
gdb> bt
#0  IA__g_main_context_check (context=0xb1b340, max_priority=0x7fffffff, fds=0x12fef80, n_fds=0x5) at /build/buildd/glib2.0-2.16.6/glib/gmain.c:2491
#1  0x00007f4c8c70be41 in g_main_context_iterate (context=0xb1b340, block=0x1, dispatch=0x1, self=<value optimized out>) at /build/buildd/glib2.0-2.16.6/glib/gmain.c:2642
#2  0x00007f4c8c70c48d in IA__g_main_loop_run (loop=0xb5aa00) at /build/buildd/glib2.0-2.16.6/glib/gmain.c:2853
#3  0x00007f4c91304336 in bonobo_main () from /usr/lib/libbonobo-2.so.0
#4  0x0000000000417af3 in main (argc=<value optimized out>, argv=0x7fff9fba5c68) at main.c:793
gdb> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
Url : http://lists.alioth.debian.org/pipermail/pkg-gnome-maintainers/attachments/20090104/71a99f76/attachment-0001.pgp 