[frogr/frogr-0.6.x: 5/9] fix use after free in _fetch_account_info_cb (#656519)



commit 54f2d952e4fc15d108426eac0df7631f5acd3ad1
Author: Christophe Fergeau <teuf gnome org>
Date:   Sun Aug 14 15:02:39 2011 +0200

    fix use after free in _fetch_account_info_cb (#656519)
    
    valgrind reports
    ==9225== Invalid read of size 1
    ==9225==    at 0x4A079D8: strcmp (mc_replace_strmem.c:538)
    ==9225==    by 0x41C9B6: _fetch_account_info_cb (frogr-controller.c:1503)
    ==9225==    by 0x344F464D98: complete_in_idle_cb (gsimpleasyncresult.c:757)
    ==9225==    by 0x344E0427EC: g_main_context_dispatch (gmain.c:2441)
    ==9225==    by 0x344E042FC7: g_main_context_iterate (gmain.c:3092)
    ==9225==    by 0x344E04360C: g_main_loop_run (gmain.c:3300)
    ==9225==    by 0x4D7D36C: gtk_main (in /usr/lib64/libgtk-3.so.0.0.12)
    ==9225==    by 0x41DE7D: frogr_controller_run_app (frogr-controller.c:2103)
    ==9225==    by 0x434A30: main (main.c:110)
    ==9225==  Address 0xd2d67b1 is 1 bytes inside a block of size 19 free'd
    ==9225==    at 0x4A055FE: free (vg_replace_malloc.c:366)
    ==9225==    by 0x344E049742: g_free (gmem.c:263)
    ==9225==    by 0x40FBF6: frogr_account_set_fullname (frogr-account.c:405)
    ==9225==    by 0x41C984: _fetch_account_info_cb (frogr-controller.c:1500)
    ==9225==    by 0x344F464D98: complete_in_idle_cb (gsimpleasyncresult.c:757)
    ==9225==    by 0x344E0427EC: g_main_context_dispatch (gmain.c:2441)
    ==9225==    by 0x344E042FC7: g_main_context_iterate (gmain.c:3092)
    ==9225==    by 0x344E04360C: g_main_loop_run (gmain.c:3300)
    ==9225==    by 0x4D7D36C: gtk_main (in /usr/lib64/libgtk-3.so.0.0.12)
    ==9225==    by 0x41DE7D: frogr_controller_run_app (frogr-controller.c:2103)
    ==9225==    by 0x434A30: main (main.c:110)
    ==9225==
    
    This is caused by _fetch_account_info_cb doing
    old_username = frogr_account_get_username (priv->account);
    frogr_account_set_username (priv->account, auth_token->username);
    if (g_strcmp0 (old_username, auth_token->username))
        ....
    
    frogr_account_get_username doesn't return a copied string but a
    direct pointer to the username string stored in the account.
    frogr_account_set_username frees that string before setting the new
    name, which will lead to the g_strcmp0 being done on already freed memory.
    
    https://bugzilla.gnome.org/show_bug.cgi?id=656519

 src/frogr-controller.c |    9 +++++++--
 1 files changed, 7 insertions(+), 2 deletions(-)
---
diff --git a/src/frogr-controller.c b/src/frogr-controller.c
index acc6209..1945b50 100644
--- a/src/frogr-controller.c
+++ b/src/frogr-controller.c
@@ -1396,18 +1396,23 @@ _fetch_account_info_cb (GObject *object, GAsyncResult *res, gpointer data)
       FrogrControllerPrivate *priv = NULL;
       const gchar *old_username = NULL;
       const gchar *old_fullname = NULL;
+      gboolean username_changed = FALSE;
 
       priv = FROGR_CONTROLLER_GET_PRIVATE (controller);
 
       /* Check for changes (only for fields that it makes sense) */
       old_username = frogr_account_get_username (priv->account);
       old_fullname = frogr_account_get_fullname (priv->account);
+      if (g_strcmp0 (old_username, auth_token->username)
+          || g_strcmp0 (old_fullname, auth_token->fullname))
+        {
+          username_changed = TRUE;
+        }
 
       frogr_account_set_username (priv->account, auth_token->username);
       frogr_account_set_fullname (priv->account, auth_token->fullname);
 
-      if (g_strcmp0 (old_username, auth_token->username)
-          || g_strcmp0 (old_fullname, auth_token->fullname))
+      if (username_changed)
         {
           /* Save to disk and emit signal if basic info changed */
           frogr_config_save_accounts (priv->config);



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]