Potential invalid writes on g_utf8_strreverse
Today I finally found the culprit to a frequently reported memory corruption on tracker-miner-fs, boils down to this:
[carlos@irma ~]$ cat blah.c
#include <glib.h>
int main (int argc, char *argv[])
{
return g_pattern_match_simple ("*a*a", "aa\363");
}
[carlos@irma ~]$ gcc -o blah `pkg-config --libs --cflags glib-2.0` blah.c
[carlos@irma ~]$ ./blah
double free or corruption (out)
Aborted (core dumped)
[carlos@irma ~]$ valgrind ./blah
==516441== Memcheck, a memory error detector
==516441== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==516441== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info
==516441== Command: ./blah
==516441==
==516441== Invalid write of size 1
==516441== at 0x48C0F5D: g_utf8_strreverse (gutf8.c:1777)
==516441== by 0x489F6F9: g_pattern_match (gpattern.c:212)
==516441== by 0x48A054A: g_pattern_match_simple (gpattern.c:437)
==516441== by 0x401143: main (in /home/carlos/blah)
==516441== Address 0x4becb7d is 3 bytes before a block of size 4 alloc'd
==516441== at 0x483880B: malloc (vg_replace_malloc.c:309)
==516441== by 0x4896F4E: g_malloc (gmem.c:99)
==516441== by 0x48C0F01: g_utf8_strreverse (gutf8.c:1769)
==516441== by 0x489F6F9: g_pattern_match (gpattern.c:212)
==516441== by 0x48A054A: g_pattern_match_simple (gpattern.c:437)
==516441== by 0x401143: main (in /home/carlos/blah)
==516441==
==516441==
==516441== HEAP SUMMARY:
==516441== in use at exit: 18,612 bytes in 6 blocks
==516441== total heap usage: 10 allocs, 4 frees, 18,650 bytes allocated
==516441==
==516441== LEAK SUMMARY:
==516441== definitely lost: 0 bytes in 0 blocks
==516441== indirectly lost: 0 bytes in 0 blocks
==516441== possibly lost: 0 bytes in 0 blocks
==516441== still reachable: 18,612 bytes in 6 blocks
==516441== suppressed: 0 bytes in 0 blocks
==516441== Rerun with --leak-check=full to see details of leaked memory
==516441==
==516441== For lists of detected and suppressed errors, rerun with: -s
==516441== ERROR SUMMARY: 3 errors from 1 contexts (suppressed: 0 from 0)
I know g_pattern*
and g_utf8_strreverse
underneath are notorious for wanting valid UTF-8 beforehand, but I guess "corrupts your memory" is an unintended side effect.