Use after free in account channel requests
Submitted by Fabrice Bellet
Link to original bug (#768891)
Description
Hi,
valgrind identified the case of an object being used after free, occurring on the handler of the TpAccountChannelRequest req object being created when redialing in empathy_call_handler_start_call():
==10747== Invalid read of size 8
==10747== at 0xC17C4F7: handle_channels_context_prepare_cb (base-client.c:2362)
==10747== by 0xF9E0996: g_simple_async_result_complete (gsimpleasyncresult.c:801)
==10747== by 0xC22EA0C: context_check_prepare (handle-channels-context.c:554)
==10747== by 0xC22EA76: hcc_channel_prepare_cb (handle-channels-context.c:627)
==10747== by 0xF9E0996: g_simple_async_result_complete (gsimpleasyncresult.c:801)
==10747== by 0xF9E09F8: complete_in_idle_cb (gsimpleasyncresult.c:813)
==10747== by 0x10E05E59: g_main_dispatch (gmain.c:3154)
==10747== by 0x10E05E59: g_main_context_dispatch (gmain.c:3769)
==10747== by 0x10E061EF: g_main_context_iterate.isra.29 (gmain.c:3840)
==10747== by 0x10E0629B: g_main_context_iteration (gmain.c:3901)
==10747== by 0xFA15A1B: g_application_run (gapplication.c:2311)
==10747== by 0x41064F: main (empathy-call.c:285)
==10747== Address 0x21ef4c60 is 240 bytes inside a block of size 288 free'd
==10747== at 0x4C29CF0: free (vg_replace_malloc.c:530)
==10747== by 0x10E0B63D: g_free (gmem.c:189)
==10747== by 0x10E22DCC: g_slice_free1 (gslice.c:1112)
==10747== by 0x10B9CEF1: g_type_free_instance (gtype.c:1945)
==10747== by 0xC1699AF: tp_account_channel_request_dispose (account-channel-request.c:208)
==10747== by 0x10B7E52B: g_object_unref (gobject.c:3142)
==10747== by 0xF9DFC71: g_simple_async_result_finalize (gsimpleasyncresult.c:260)
==10747== by 0x10B7E5AE: g_object_unref (gobject.c:3179)
==10747== by 0x10E02957: g_source_callback_unref (gmain.c:1561)
==10747== by 0x10E04115: g_source_destroy_internal (gmain.c:1207)
==10747== by 0x10E05EEF: g_main_dispatch (gmain.c:3177)
==10747== by 0x10E05EEF: g_main_context_dispatch (gmain.c:3769)
==10747== by 0x10E061EF: g_main_context_iterate.isra.29 (gmain.c:3840)
==10747== by 0x10E0629B: g_main_context_iteration (gmain.c:3901)
==10747== by 0xFA15A1B: g_application_run (gapplication.c:2311)
==10747== by 0x41064F: main (empathy-call.c:285)
==10747== Block was alloc'd at
==10747== at 0x4C28BF6: malloc (vg_replace_malloc.c:299)
==10747== by 0x10E0B528: g_malloc (gmem.c:94)
==10747== by 0x10E22652: g_slice_alloc (gslice.c:1007)
==10747== by 0x10E22CED: g_slice_alloc0 (gslice.c:1032)
==10747== by 0x10B9CC29: g_type_create_instance (gtype.c:1847)
==10747== by 0x10B7EB7A: g_object_new_internal (gobject.c:1779)
==10747== by 0x10B80A14: g_object_new_valist (gobject.c:2038)
==10747== by 0x10B80D80: g_object_new (gobject.c:1622)
==10747== by 0xC253ED2: tp_simple_handler_new_with_factory (simple-handler.c:439)
==10747== by 0xC168671: request_and_handle_channel_async (account-channel-request.c:1057)
==10747== by 0x413024: empathy_call_handler_start_call (empathy-call-handler.c:932)
==10747== by 0x41B564: start_call (empathy-call-window.c:3658)
==10747== by 0x41C41E: empathy_call_window_restart_call (empathy-call-window.c:4115)
==10747== by 0x4133EE: empathy_call_window_video_call_cb (empathy-call-window.c:354)
==10747== by 0x10B799D3: _g_closure_invoke_va (gclosure.c:864)
==10747== by 0x10B942BC: g_signal_emit_valist (gsignal.c:3292)
==10747== by 0x10B94DC4: g_signal_emit_by_name (gsignal.c:3479)
==10747== by 0x10B799D3: _g_closure_invoke_va (gclosure.c:864)
==10747== by 0x10B942BC: g_signal_emit_valist (gsignal.c:3292)
==10747== by 0x10B948FE: g_signal_emit (gsignal.c:3439)
Version: 3.12.x