[Pidgin] #5937: xmpp: double free in jabber_close

Pidgin trac at pidgin.im
Wed May 28 00:40:51 EDT 2008 

#5937: xmpp: double free in jabber_close
----------------------+-----------------------------------------------------
Reporter:  moonlight  |       Owner:  nwalp          
    Type:  defect     |      Status:  new            
Priority:  minor      |   Component:  XMPP           
 Version:             |    Keywords:  xmpp crash exit
 Pending:  0          |  
----------------------+-----------------------------------------------------
 Hi,

 I get regular crashes when quitting pidgin - sometimes a segv -sometimes
 glibc detects a double free. I got following results for the relevant
 crashes using valgrind:

 {{{
 ==25097==
 ==25097== Invalid free() / delete / delete[]
 ==25097==    at 0x402265C: free (vg_replace_malloc.c:323)
 ==25097==    by 0x48FE5B0: g_free (in /usr/lib/libglib-2.0.so.0.1600.3)
 ==25097==    by 0x54C3F9D: jabber_close (jabber.c:1330)
 ==25097==    by 0x49AFEA2: purple_connection_destroy (connection.c:263)
 ==25097==    by 0x499A662: purple_account_disconnect (account.c:1174)
 ==25097==    by 0x49AF2C7: purple_connections_disconnect_all
 (connection.c:620)
 ==25097==    by 0x49B704D: purple_core_quit (core.c:196)
 ==25097==    by 0x44AC315: (within /usr/lib/libgtk-x11-2.0.so.0.1200.9)
 ==25097==    by 0x48919BE: g_cclosure_marshal_VOID__VOID (in
 /usr/lib/libgobject-2.0.so.0.1600.3)
 ==25097==    by 0x48846F8: g_closure_invoke (in
 /usr/lib/libgobject-2.0.so.0.1600.3)
 ==25097==    by 0x4898C3C: (within /usr/lib/libgobject-2.0.so.0.1600.3)
 ==25097==    by 0x489A835: g_signal_emit_valist (in
 /usr/lib/libgobject-2.0.so.0.1600.3)
 ==25097==  Address 0x61e0168 is 0 bytes inside a block of size 33 free'd
 ==25097==    at 0x402265C: free (vg_replace_malloc.c:323)
 ==25097==    by 0x48FE5B0: g_free (in /usr/lib/libglib-2.0.so.0.1600.3)
 ==25097==    by 0x54B0AC0: jabber_auth_handle_challenge (auth.c:947)
 ==25097==    by 0x54C57A9: jabber_process_packet (jabber.c:222)
 ==25097==    by 0x54C8938: jabber_parser_element_end_libxml (parser.c:116)
 ==25097==    by 0x428D073: (within /usr/lib/libxml2.so.2.6.32)
 ==25097==    by 0x4299D33: xmlParseChunk (in /usr/lib/libxml2.so.2.6.32)
 ==25097==    by 0x54C881E: jabber_parser_process (parser.c:195)
 ==25097==    by 0x54C5306: jabber_recv_cb_ssl (jabber.c:441)
 ==25097==    by 0x49E351C: recv_cb (sslconn.c:143)
 ==25097==    by 0x80A6E62: pidgin_io_invoke (gtkeventloop.c:78)
 ==25097==    by 0x492A64C: (within /usr/lib/libglib-2.0.so.0.1600.3)
 }}}

 Initializing expected_rspauth with 0 after the g_free in auth.c prevents
 the crash.

 Used version: current im.pidgin.pidgin.next.minor

-- 
Ticket URL: <http://developer.pidgin.im/ticket/5937>
Pidgin <http://pidgin.im>
Pidgin

More information about the Tracker mailing list