Bug#565915: libsoup2.4: Segmentation fault in read_metadata()

Ying-Chun Liu (PaulLiu) paul.liu at canonical.com
Tue Jan 19 16:47:06 UTC 2010 

Package: libsoup2.4
Version: 2.29.5-2
Severity: important
Tags: patch
User: ubuntu-devel at lists.ubuntu.com
Usertags: origin-ubuntu

*** Please type your report below this line ***

libsoup2.4 crash because the return value of g_byte_array_append is ignored.

= Backtrace =

Core was generated by `/usr/lib/mojito/mojito-core'.
Program terminated with signal 11, Segmentation fault.
#0 0x004d30fc in ?? () from /lib/tls/i686/cmov/libc.so.6
(gdb) bt
#0 0x004d30fc in ?? () from /lib/tls/i686/cmov/libc.so.6
#1 0x004d54b2 in ?? () from /lib/tls/i686/cmov/libc.so.6
#2 0x004d8319 in ?? () from /lib/tls/i686/cmov/libc.so.6
#3 0x004d882d in realloc () from /lib/tls/i686/cmov/libc.so.6
#4 0x003f31cf in g_realloc () from /lib/libglib-2.0.so.0
#5 0x003c516b in ?? () from /lib/libglib-2.0.so.0
#6 0x003c56d9 in g_array_append_vals () from /lib/libglib-2.0.so.0
#7 0x003c5760 in g_byte_array_append () from /lib/libglib-2.0.so.0
#8 0x001a8ab9 in read_metadata (msg=<value optimized out>, to_blank=<value optimized out>) at
soup-message-io.c:318
#9 0x001a8dec in io_read (sock=0x89fd730, msg=0x89db280) at soup-message-io.c:809
#10 0x001a5f73 in soup_message_send_request (req=0x89db280, sock=0x89fd730, conn=0x89cdb80,
is_via_proxy=0)
    at soup-message-client-io.c:150
#11 0x00198764 in soup_connection_send_request (conn=0x89cdb80, req=0x89db280) at soup-connection.c:677
#12 0x001b0cc4 in soup_session_send_queue_item (session=0x89b3480, item=0x8aa2c30, conn=0x89cdb80)
    at soup-session.c:1162
#13 0x001b3a7b in process_queue_item (item=<value optimized out>) at soup-session-sync.c:263
#14 0x001b3e91 in queue_message_thread (data=0x8aa2c30) at soup-session-sync.c:285
#15 0x0041536f in ?? () from /lib/libglib-2.0.so.0
#16 0x00eb480e in start_thread () from /lib/tls/i686/cmov/libpthread.so.0
#17 0x005347ee in clone () from /lib/tls/i686/cmov/libc.so.6

= Code =
== soup-message-io.c ==
...
316:                switch (status) {
317:                case SOUP_SOCKET_OK:
318:        		g_byte_array_append (io->read_meta_buf, read_buf, nread);
...




It is because the space of io->read_meta_buf is not enough to append read_buf into it. So an realloc
is called inside g_byte_array_append(). The new pointer will be returned by g_byte_array_append().
So it's better to use
io->read_meta_buf = g_byte_array_append(io->read_meta_buf, read_buf, nread);

I use
grep g_byte_array_append -r .
in source tree and found there are more than here so it's better to re-write all g_byte_array_append
call by this way.

I attached a patch to fix this bug.

Thanks,
Paul

-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 2.6.30-2-686 (SMP w/1 CPU core)
Locale: LANG=zh_TW.UTF-8, LC_CTYPE=zh_TW.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash


-------------- next part --------------
A non-text attachment was scrubbed...
Name: soup-message-io.c.patch
Type: text/x-patch
Size: 564 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnome-maintainers/attachments/20100120/ee74ca0e/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnome-maintainers/attachments/20100120/ee74ca0e/attachment-0001.pgp>

More information about the pkg-gnome-maintainers mailing list