Possible SEGV (bad free) in gdk_pixbuf_io_init_modules()
There appears to be a possible SEGV (bad free) in gdk_pixbuf_io_init_modules()
. The problem occurs here:
n_patterns++;
module->info->signature = (GdkPixbufModulePattern *)
g_realloc (module->info->signature, (n_patterns + 1) * sizeof (GdkPixbufModulePattern));
pattern = module->info->signature + n_patterns;
...
if (!scan_string (&p, tmp_buf))
goto context_error;
...
context_error:
g_free (pattern->prefix);
g_free (pattern->mask);
g_free (pattern); // <---- Possible bad free()
If n_patterns != 0
then pattern
will not point to the base of the allocation, leading to a SEGV on my system.
To reproduce:
- Replace the
/usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache
with the attached (corrupt) version: loaders.cache - Run
gnome-calculator
Stack trace:
Thread 1 "gnome-calculato" received signal SIGSEGV, Segmentation fault.
0x00007ffff6c9f769 in arena_for_chunk (ptr=0x555555a290b8) at ./malloc/arena.c:156
...
#0 0x00007ffff6c9f769 in arena_for_chunk (ptr=0x555555a290b8) at ./malloc/arena.c:156
#1 arena_for_chunk (ptr=0x555555a290b8) at ./malloc/arena.c:160
#2 __GI___libc_free (mem=mem@entry=0x555555a290c8) at ./malloc/malloc.c:3366
#3 0x00007ffff7ec0729 in g_free (mem=mem@entry=0x555555a290c8) at ../../../glib/gmem.c:232
#4 0x00007ffff6791d98 in gdk_pixbuf_io_init_modules
(filename=filename@entry=0x5555559db650 "/usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache", error=error@entry=0x0) at ../gdk-pixbuf/gdk-pixbuf-io.c:536
#5 0x00007ffff6794391 in gdk_pixbuf_io_init () at ../gdk-pixbuf/gdk-pixbuf-io.c:676
#6 get_file_formats () at ../gdk-pixbuf/gdk-pixbuf-io.c:179
#7 0x00007ffff6798d97 in gdk_pixbuf_get_formats () at ../gdk-pixbuf/gdk-pixbuf-io.c:3443
#8 0x00007ffff7a043f6 in init () at ../../../gdk/gdkcontentdeserializer.c:936
#9 0x00007ffff7a046c5 in init () at ../../../gdk/gdkcontentdeserializer.c:480
#10 gdk_content_formats_union_deserialize_gtypes (formats=0x555555713d10)
at ../../../gdk/gdkcontentdeserializer.c:465
#11 0x00007ffff79fb220 in gdk_clipboard_real_claim
(clipboard=0x5555559dad40, formats=0x555555713d10, local=0, content=0x0)
at ../../../gdk/gdkclipboard.c:170
#12 0x00007ffff79f0c57 in gdk_x11_clipboard_claim_remote
(cb=cb@entry=0x5555559dad40, timestamp=timestamp@entry=0) at ../../../gdk/x11/gdkclipboard-x11.c:413
#13 0x00007ffff79f0f45 in gdk_x11_clipboard_new
(display=0x555555696280, selection=0x7ffff7b0514b "CLIPBOARD")
at ../../../gdk/x11/gdkclipboard-x11.c:881
#14 0x00007ffff79e6e3f in gdk_x11_display_open (display_name=<optimized out>)
at ../../../gdk/x11/gdkdisplay-x11.c:1627
#15 0x00007ffff7a07427 in gdk_display_manager_open_display (manager=<optimized out>, name=0x0)
at ../../../gdk/gdkdisplaymanager.c:424
#16 0x00007ffff7780fd4 in gdk_display_open_default () at ../../../gdk/gdk.c:331
#17 gtk_init_check () at ../../../gtk/gtkmain.c:623
#18 gtk_init_check () at ../../../gtk/gtkmain.c:605
#19 0x00007ffff77811ed in gtk_init () at ../../../gtk/gtkmain.c:661
#20 0x00007ffff76c2a3c in gtk_application_startup (g_application=0x555555652f40)
at ../../../gtk/gtkapplication.c:259
#21 0x00007ffff71b9d3e in adw_application_startup (application=0x555555652f40)
at ../src/adw-application.c:176
#22 0x0000555555579298 in calculator_real_startup (base=0x555555652f40)
at src/gnome-calculator.p/gnome-calculator.c:592
#23 0x00007ffff7e3583c in _g_closure_invoke_va
(param_types=<optimized out>, n_params=<optimized out>, args=0x7fffffffdcc0, instance=<optimized out>, return_value=<optimized out>, closure=0x555555650ac0) at ../../../gobject/gclosure.c:895
#24 g_signal_emit_valist
(instance=<optimized out>, signal_id=<optimized out>, detail=<optimized out>, var_args=var_args@entry=0x7fffffffdcc0) at ../../../gobject/gsignal.c:3462
#25 0x00007ffff7e35923 in g_signal_emit
(instance=instance@entry=0x555555652f40, signal_id=<optimized out>, detail=detail@entry=0)
at ../../../gobject/gsignal.c:3612
#26 0x00007ffff750c0a6 in g_application_register
(application=application@entry=0x555555652f40, cancellable=cancellable@entry=0x0, error=error@entry=0x7fffffffde30) at ../../../gio/gapplication.c:2213
#27 0x00007ffff750c7fe in g_application_real_local_command_line
(application=0x555555652f40, arguments=0x7fffffffde88, exit_status=0x7fffffffde84)
at ../../../gio/gapplication.c:1115
#28 0x00007ffff750cbc8 in g_application_run
(application=application@entry=0x555555652f40, argc=argc@entry=1, argv=argv@entry=0x7fffffffe008)
at ../../../gio/gapplication.c:2542
#29 0x000055555557070a in calculator_main (args_length1=1, args=0x7fffffffe008)
at src/gnome-calculator.p/gnome-calculator.c:1614
#30 main (argc=1, argv=0x7fffffffe008) at src/gnome-calculator.p/gnome-calculator.c:1624