Valgrind detects use-after-free in timeout_bubble
While running gnome-flashback under Valgrind to work out the source of a segfault in libgobject-2.0.so, I found a different (possibly unrelated) problem reported by Valgrind:
==1122289== Invalid write of size 4
==1122289== at 0x1AC0CB: timeout_bubble (gf-bubble.c:196)
==1122289== by 0x5C3102D: ??? (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7800.3)
==1122289== by 0x5C2D0D8: ??? (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7800.3)
==1122289== by 0x5C30316: ??? (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7800.3)
==1122289== by 0x5C30C1E: g_main_loop_run (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7800.3)
==1122289== by 0x12E3BC: main (gf-main.c:203)
==1122289== Address 0xc1be65c is 76 bytes inside a block of size 784 free'd
==1122289== at 0x48431EF: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==1122289== by 0x5BAE85B: g_type_free_instance (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.7800.3)
==1122289== by 0x1AC0C6: timeout_bubble (gf-bubble.c:194)
==1122289== by 0x5C3102D: ??? (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7800.3)
==1122289== by 0x5C2D0D8: ??? (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7800.3)
==1122289== by 0x5C30316: ??? (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7800.3)
==1122289== by 0x5C30C1E: g_main_loop_run (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7800.3)
==1122289== by 0x12E3BC: main (gf-main.c:203)
==1122289== Block was alloc'd at
==1122289== at 0x48459F3: calloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==1122289== by 0x5C37279: g_malloc0 (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7800.3)
==1122289== by 0x5BAE3A6: g_type_create_instance (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.7800.3)
==1122289== by 0x5B914FF: ??? (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.7800.3)
==1122289== by 0x5B936C2: g_object_new_valist (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.7800.3)
==1122289== by 0x5B93A1C: g_object_new (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.7800.3)
==1122289== by 0x1AD1DA: gf_bubble_new_for_notification (gf-bubble.c:621)
==1122289== by 0x1A9C3E: maybe_show_notification (nd-queue.c:583)
==1122289== by 0x1AA737: update_idle (nd-queue.c:882)
==1122289== by 0x5C2D0D8: ??? (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7800.3)
==1122289== by 0x5C30316: ??? (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7800.3)
==1122289== by 0x5C30C1E: g_main_loop_run (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7800.3)
==1122289==
I'm not familiar with glib/gtk code, but perhaps timeout_bubble
should look like this instead?
static gboolean
timeout_bubble (gpointer user_data)
{
GfBubble *bubble;
- GfBubblePrivate *priv;
bubble = GF_BUBBLE (user_data);
- priv = gf_bubble_get_instance_private (bubble);
+ gf_bubble_get_instance_private (bubble)->timeout_id = 0;
gtk_widget_destroy (GTK_WIDGET (bubble));
- priv->timeout_id = 0;
return G_SOURCE_REMOVE;
}
Edited by 小太