[Tracker] [PATCH] trackerd null termination of tracker_db_search_text result
- From: Quirky <quirky zoom co uk>
- To: tracker-list gnome org
- Subject: [Tracker] [PATCH] trackerd null termination of tracker_db_search_text result
- Date: Sun, 22 Oct 2006 21:28:26 +0200
Please consider the attached patch that fixes a random crash when
performing a search but the returned hits ids are not all converted to
path results.
The crash was caused when freeing an out-of-bounds pointer or
dereferencing such a pointer in the function
tracker_dbus_method_search_text. Around tracker-dbus-search.c line 90,
the array "res" has its length determined by running through it until a
NULL is found. There is a possibility that the array returned from
tracker_db_search_text is not null terminated correctly. If this is the
case, then there could be a non null array entry that is not a valid
pointer, but random garbage memory.
For example, in tracker_db_search_text, str_id was "3101" and the
GetFileByID execution returned a "null" result. So out of 22 results,
only 20 were placed in the returned array. The null end was set at
res[21] (initial value of count). When dereferencing e.g. res[20] in the
caller function trackerd seg faults.
Not sure what caused this set up in the database, but it makes things a
bit more robust in this case.
cheers,
Rich
Index: src/trackerd/tracker-db-sqlite.c
===================================================================
RCS file: /cvs/gnome/tracker/src/trackerd/tracker-db-sqlite.c,v
retrieving revision 1.25
diff -u -p -r1.25 tracker-db-sqlite.c
--- src/trackerd/tracker-db-sqlite.c 22 Oct 2006 17:47:50 -0000 1.25
+++ src/trackerd/tracker-db-sqlite.c 22 Oct 2006 19:11:31 -0000
@@ -1736,7 +1736,6 @@ tracker_db_search_text (DBConnection *db
if (!save_results) {
count = g_slist_length (hit_list);
result = g_new ( char *, count + 1);
- result[count] = NULL;
} else {
tracker_db_start_transaction (db_con);
tracker_exec_proc (db_con, "DeleteSearchResults1", 0);
@@ -1801,13 +1800,14 @@ tracker_db_search_text (DBConnection *db
}
result[count] = (char *) row;
+ count++;
}
tracker_db_free_result (res);
}
- count++;
}
+ result[count] = NULL;
if (save_results) {
tracker_db_end_transaction (db_con);
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]