[gmime-devel] Double free crash in g_mime_header_list_register_writer()
- From: Johan van den Berg <phenom jvdb gmail com>
- To: gmime-devel-list gnome org
- Subject: [gmime-devel] Double free crash in g_mime_header_list_register_writer()
- Date: Fri, 18 Jul 2014 13:09:27 +0200
Hi
I am using gmime 2.4.21 (installed with yum on RHEL6) and glib2
2.26.1, and I am trying to disable header folding.
The crash occurs when calling g_mime_header_list_register_writer().
Is there something I am missing?
Regards
Johan
*** glibc detected *** ./gmimetest: double free or corruption
(fasttop): 0x0000000002552910 ***
======= Backtrace: =========
/lib64/libc.so.6[0x3209475916]
/usr/lib64/libgmime-2.4.so.2(g_mime_header_list_register_writer+0x62)[0x32fee1c642]
./gmimetest[0x401c13]
./gmimetest[0x4021c7]
/lib64/libc.so.6(__libc_start_main+0xfd)[0x320941ecdd]
./gmimetest[0x401619]
This happens when g_free(okey) is called after
g_hash_lookup_extended() is called. As far as I can tell from my
debugger, okey points to an empty string, however I don't know glib
hash tables very well so this might not be relevant.
Snippet from cgdb in /usr/src/debug/gmime-2.4.21/gmime/gmime-header.c:
924| void
925| g_mime_header_list_register_writer (GMimeHeaderList *headers,
const char *name, GMimeHeaderWriter writer)
926| {
927| gpointer okey, oval;
928|
929| g_return_if_fail (headers != NULL);
930| g_return_if_fail (name != NULL);
931|
932| if (g_hash_table_lookup (headers->writers, name)) {
933| g_hash_table_lookup_extended (headers->writers,
name, &okey, &oval);
934| g_hash_table_remove (headers->writers, name);
935+> g_free (okey);
936| }
937|
938| if (writer)
939| g_hash_table_insert (headers->writers, g_strdup
(name), writer);
940| }
My offending code snippet:
--------------------------
#include <glib.h>
#include <gmime/gmime.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>
#include <fcntl.h>
#include <errno.h>
void build_multipart(void);
ssize_t nonfolding_mime_header_writer (GMimeStream *stream, const char
* name, const char * value);
char * nonfolding_mime_header_printf(const char * format, ...);
int main (int argc, char **argv)
{
g_mime_init (0);
build_multipart();
return 0;
}
void build_multipart(void)
{
GMimeMultipart * multipart;
GMimeHeaderList * headers;
multipart = g_mime_multipart_new_with_subtype("related");
headers = g_mime_object_get_header_list((GMimeObject *) multipart);
g_mime_object_set_content_type_parameter((GMimeObject *)
multipart, "type", "text/xml");
g_mime_object_set_content_type_parameter((GMimeObject *)
multipart, "start", "<xyz>");
g_mime_header_list_register_writer(headers, "Content-Type",
nonfolding_mime_header_writer);
}
ssize_t nonfolding_mime_header_writer (GMimeStream *stream, const char
* name, const char * value)
{
ssize_t nwritten;
char * val;
val = nonfolding_mime_header_printf ("%s: %s\n", name, value);
nwritten = g_mime_stream_write_string (stream, val);
g_free (val);
return nwritten;
}
char * nonfolding_mime_header_printf(const char * format, ...)
{
char * buf;
va_list ap;
va_start (ap, format);
buf = g_strdup_vprintf (format, ap);
va_end (ap);
return buf;
}
--------------------------
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
