Please consider the attached patch that fixes a random crash when performing a search but the returned hits ids are not all converted to path results. The crash was caused when freeing an out-of-bounds pointer or dereferencing such a pointer in the function tracker_dbus_method_search_text. Around tracker-dbus-search.c line 90, the array "res" has its length determined by running through it until a NULL is found. There is a possibility that the array returned from tracker_db_search_text is not null terminated correctly. If this is the case, then there could be a non null array entry that is not a valid pointer, but random garbage memory. For example, in tracker_db_search_text, str_id was "3101" and the GetFileByID execution returned a "null" result. So out of 22 results, only 20 were placed in the returned array. The null end was set at res[21] (initial value of count). When dereferencing e.g. res[20] in the caller function trackerd seg faults. Not sure what caused this set up in the database, but it makes things a bit more robust in this case. cheers, Rich
Index: src/trackerd/tracker-db-sqlite.c
===================================================================
RCS file: /cvs/gnome/tracker/src/trackerd/tracker-db-sqlite.c,v
retrieving revision 1.25
diff -u -p -r1.25 tracker-db-sqlite.c
--- src/trackerd/tracker-db-sqlite.c 22 Oct 2006 17:47:50 -0000 1.25
+++ src/trackerd/tracker-db-sqlite.c 22 Oct 2006 19:11:31 -0000
@@ -1736,7 +1736,6 @@ tracker_db_search_text (DBConnection *db
if (!save_results) {
count = g_slist_length (hit_list);
result = g_new ( char *, count + 1);
- result[count] = NULL;
} else {
tracker_db_start_transaction (db_con);
tracker_exec_proc (db_con, "DeleteSearchResults1", 0);
@@ -1801,13 +1800,14 @@ tracker_db_search_text (DBConnection *db
}
result[count] = (char *) row;
+ count++;
}
tracker_db_free_result (res);
}
- count++;
}
+ result[count] = NULL;
if (save_results) {
tracker_db_end_transaction (db_con);