[frogr/frogr-0.6.x: 5/9] fix use after free in _fetch_account_info_cb (#656519)
- From: Mario Sanchez Prada <msanchez src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [frogr/frogr-0.6.x: 5/9] fix use after free in _fetch_account_info_cb (#656519)
- Date: Fri, 19 Aug 2011 13:39:20 +0000 (UTC)
commit 54f2d952e4fc15d108426eac0df7631f5acd3ad1
Author: Christophe Fergeau <teuf gnome org>
Date: Sun Aug 14 15:02:39 2011 +0200
fix use after free in _fetch_account_info_cb (#656519)
valgrind reports
==9225== Invalid read of size 1
==9225== at 0x4A079D8: strcmp (mc_replace_strmem.c:538)
==9225== by 0x41C9B6: _fetch_account_info_cb (frogr-controller.c:1503)
==9225== by 0x344F464D98: complete_in_idle_cb (gsimpleasyncresult.c:757)
==9225== by 0x344E0427EC: g_main_context_dispatch (gmain.c:2441)
==9225== by 0x344E042FC7: g_main_context_iterate (gmain.c:3092)
==9225== by 0x344E04360C: g_main_loop_run (gmain.c:3300)
==9225== by 0x4D7D36C: gtk_main (in /usr/lib64/libgtk-3.so.0.0.12)
==9225== by 0x41DE7D: frogr_controller_run_app (frogr-controller.c:2103)
==9225== by 0x434A30: main (main.c:110)
==9225== Address 0xd2d67b1 is 1 bytes inside a block of size 19 free'd
==9225== at 0x4A055FE: free (vg_replace_malloc.c:366)
==9225== by 0x344E049742: g_free (gmem.c:263)
==9225== by 0x40FBF6: frogr_account_set_fullname (frogr-account.c:405)
==9225== by 0x41C984: _fetch_account_info_cb (frogr-controller.c:1500)
==9225== by 0x344F464D98: complete_in_idle_cb (gsimpleasyncresult.c:757)
==9225== by 0x344E0427EC: g_main_context_dispatch (gmain.c:2441)
==9225== by 0x344E042FC7: g_main_context_iterate (gmain.c:3092)
==9225== by 0x344E04360C: g_main_loop_run (gmain.c:3300)
==9225== by 0x4D7D36C: gtk_main (in /usr/lib64/libgtk-3.so.0.0.12)
==9225== by 0x41DE7D: frogr_controller_run_app (frogr-controller.c:2103)
==9225== by 0x434A30: main (main.c:110)
==9225==
This is caused by _fetch_account_info_cb doing
old_username = frogr_account_get_username (priv->account);
frogr_account_set_username (priv->account, auth_token->username);
if (g_strcmp0 (old_username, auth_token->username))
....
frogr_account_get_username doesn't return a copied string but a
direct pointer to the username string stored in the account.
frogr_account_set_username frees that string before setting the new
name, which will lead to the g_strcmp0 being done on already freed memory.
https://bugzilla.gnome.org/show_bug.cgi?id=656519
src/frogr-controller.c | 9 +++++++--
1 files changed, 7 insertions(+), 2 deletions(-)
---
diff --git a/src/frogr-controller.c b/src/frogr-controller.c
index acc6209..1945b50 100644
--- a/src/frogr-controller.c
+++ b/src/frogr-controller.c
@@ -1396,18 +1396,23 @@ _fetch_account_info_cb (GObject *object, GAsyncResult *res, gpointer data)
FrogrControllerPrivate *priv = NULL;
const gchar *old_username = NULL;
const gchar *old_fullname = NULL;
+ gboolean username_changed = FALSE;
priv = FROGR_CONTROLLER_GET_PRIVATE (controller);
/* Check for changes (only for fields that it makes sense) */
old_username = frogr_account_get_username (priv->account);
old_fullname = frogr_account_get_fullname (priv->account);
+ if (g_strcmp0 (old_username, auth_token->username)
+ || g_strcmp0 (old_fullname, auth_token->fullname))
+ {
+ username_changed = TRUE;
+ }
frogr_account_set_username (priv->account, auth_token->username);
frogr_account_set_fullname (priv->account, auth_token->fullname);
- if (g_strcmp0 (old_username, auth_token->username)
- || g_strcmp0 (old_fullname, auth_token->fullname))
+ if (username_changed)
{
/* Save to disk and emit signal if basic info changed */
frogr_config_save_accounts (priv->config);
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]