Bug 390901

Summary:	pidgin segfaults when logging into XMPP account
Product:	[Fedora] Fedora	Reporter:	James Ralston <ralston>
Component:	pidgin	Assignee:	Warren Togami <wtogami>
Status:	CLOSED ERRATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	low	Docs Contact:
Priority:	low
Version:	7	CC:	stu
Target Milestone:	---
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:	2.3.1-1.fc7	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2008-01-07 01:18:08 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description James Ralston 2007-11-19 19:14:25 UTC

We have an internal XMPP (Jabber) server running Openfire.

If I set a buddy icon for this account, Pidgin segfaults upon login:

$ pidgin
libnm_glib_nm_state_cb: dbus returned an error.
  (org.freedesktop.DBus.Error.ServiceUnknown) The name
org.freedesktop.NetworkManager was not provided by any .service files
Pidgin has segfaulted and attempted to dump a core file.
This is a bug in the software and has happened through
no fault of your own.

If you can reproduce the crash, please notify the developers
by reporting a bug at:
http://developer.pidgin.im/simpleticket/

Please make sure to specify what you were doing at the time
and post the backtrace from the core file.  If you do not know
how to get the backtrace, please read the instructions at
http://developer.pidgin.im/wiki/GetABacktrace

If you need further assistance, please IM either SeanEgn or 
LSchiere (via AIM).  Contact information for Sean and Luke 
on other protocols is at
http://developer.pidgin.im/wiki/DeveloperPages
Aborted (core dumped)

Here's the backtrace (I've replaced some sensitive information with "XXXXXX",
but it's otherwise unmodified):

(gdb) thread apply all backtrace

Thread 2 (process 5091):
#0  0x0000003f2f8c82e6 in *__GI___poll (fds=0x76dd70, nfds=2, 
    timeout=-1) at ../sysdeps/unix/sysv/linux/poll.c:87
#1  0x0000003eeb82feae in g_main_context_iterate (context=0x74ce90, 
    block=1, dispatch=1, self=<value optimized out>) at gmain.c:2979
#2  0x0000003eeb83036a in IA__g_main_loop_run (loop=0x78b460)
    at gmain.c:2881
#3  0x000000390e803393 in libnm_glib_dbus_worker (user_data=0x77b1b0)
    at libnm_glib.c:425
#4  0x0000003eeb849354 in g_thread_create_proxy (data=0x74cfa0)
    at gthread.c:594
#5  0x0000003f318062f7 in start_thread (arg=<value optimized out>)
    at pthread_create.c:296
#6  0x0000003f2f8d0fbd in clone () from /lib64/libc.so.6

Thread 1 (process 5090):
#0  0x0000003f2f8305c5 in *__GI_raise (sig=<value optimized out>)
    at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0x0000003f2f832070 in *__GI_abort () at abort.c:88
#2  0x000000000047aa0c in sighandler (sig=<value optimized out>)
    at gtkmain.c:208
#3  <signal handler called>
#4  malloc_consolidate (av=0x3f2fb4c960) at malloc.c:4824
#5  0x0000003f2f870b1d in _int_malloc (av=0x3f2fb4c960, bytes=3072)
    at malloc.c:4162
#6  0x0000003f2f8724ed in *__GI___libc_malloc (bytes=3072)
    at malloc.c:3549
#7  0x0000003f3aae8ea2 in xmlDictCreate__internal_alias ()
    at dict.c:336
#8  0x0000003f3aa32f9c in xmlInitParserCtxt__internal_alias (
    ctxt=0xdd7fe0) at parserInternals.c:1517
#9  0x0000003f3aa3300e in xmlNewParserCtxt__internal_alias ()
    at parserInternals.c:1768
#10 0x0000003f3aa3520f in xmlCreateMemoryParserCtxt__internal_alias (
    buffer=0x3f2fb4c960 "\001", size=3072) at parser.c:12529
#11 0x0000003f3aa49c1d in xmlSAXUserParseMemory__internal_alias (
    sax=0x357cef27c0, user_data=0xdbe8a0, buffer=0xbe96a0 "", size=1)
    at parser.c:12680
#12 0x000000357cc976b1 in xmlnode_from_str (
    str=0x7b8800 "<vCard xmlns='vcard-temp'>\n  <N>\n   
<GIVEN>XXXXXXXXXXXXX</GIVEN>\n  </N> \n  <EMAIL>\n    <INTERNET/> \n   
<USERID>XXXXXXXXXXXXXXXXXXXX</USERID>\n  </EMAIL> \n  <FN>XXXXXXXXXXXXX</FN> \n
 <ADR>\n    <HOME/>"..., size=<value optimized out>) at xmlnode.c:627
#13 0x00002aaab425e1be in jabber_set_info (gc=0xcd7180, 
    info=0x7b8800 "<vCard xmlns='vcard-temp'>\n  <N>\n   
<GIVEN>XXXXXXXXXXXXX</GIVEN>\n  </N> \n  <EMAIL>\n    <INTERNET/> \n   
<USERID>XXXXXXXXXXXXXXXXXXXX</USERID>\n  </EMAIL> \n  <FN>XXXXXXXXXXXXX</FN> \n
 <ADR>\n    <HOME/>"...) at buddy.c:411
#14 0x00002aaab425e494 in jabber_set_buddy_icon (gc=0xcd7180, 
    img=0xdbe5f0) at buddy.c:593
#15 0x00002aaab425e961 in jabber_vcard_save_mine (js=0xcd71e0, 
    packet=<value optimized out>, data=<value optimized out>)
    at buddy.c:1149
#16 0x00002aaab4265a11 in jabber_iq_parse (js=0xcd71e0, 
    packet=0xda07b0) at iq.c:326
#17 0x00002aaab4271a8a in jabber_parser_element_end_libxml (
    user_data=0x3f2fb4c960, element_name=<value optimized out>, 
    prefix=0xbe96a0 "", namespace=0x1 <Address 0x1 out of bounds>)
    at parser.c:116
#18 0x0000003f3aa3ab3a in xmlParseEndTag2 (ctxt=0xd22000, prefix=0x0, 
    URI=0xd2df67 "jabber:client", line=<value optimized out>, nsNr=0, 
    tlen=1) at parser.c:8305
#19 0x0000003f3aa4710c in xmlParseChunk__internal_alias (
    ctxt=0xd22000, chunk=<value optimized out>, 
    size=<value optimized out>, terminate=0) at parser.c:10048
#20 0x00002aaab4271968 in jabber_parser_process (js=0xcd71e0, 
    buf=0xc00 <Address 0xc00 out of bounds>, len=12490400)
    at parser.c:195
#21 0x00002aaab426e534 in jabber_recv_cb_ssl (data=0xcd7180, 
    gsc=0xd2ec80, cond=<value optimized out>) at jabber.c:400
#22 0x0000000000462cdf in pidgin_io_invoke (
    source=<value optimized out>, condition=<value optimized out>, 
    data=0xd4f4d0) at gtkeventloop.c:78
#23 0x0000003eeb82d224 in IA__g_main_context_dispatch (
    context=0x7097b0) at gmain.c:2045
#24 0x0000003eeb83005d in g_main_context_iterate (context=0x7097b0, 
    block=1, dispatch=1, self=<value optimized out>) at gmain.c:2677
#25 0x0000003eeb83036a in IA__g_main_loop_run (loop=0xcd7680)
    at gmain.c:2881
#26 0x0000003c19f2d783 in gtk_main ()
   from /usr/lib64/libgtk-x11-2.0.so.0
#27 0x000000000047a6ec in main (argc=1, argv=0x7fff037f4c48)
    at gtkmain.c:853

The important frame seems to be frame 10:

(gdb) frame 10
#10 0x0000003f3aa3520f in xmlCreateMemoryParserCtxt__internal_alias (
    buffer=0x3f2fb4c960 "\001", size=3072) at parser.c:12529
12529       ctxt = xmlNewParserCtxt();

(gdb) list
12524       if (buffer == NULL)
12525           return(NULL);
12526       if (size <= 0)
12527           return(NULL);
12528
12529       ctxt = xmlNewParserCtxt();
12530       if (ctxt == NULL)
12531           return(NULL);
12532
12533       /* TODO: xmlParserInputBufferCreateStatic, requires some serious
changes */

The xmlNewParserCtxt() function (from libxml2) is what ultimately causes the
SIGSEGV.  This is *very* suspicious: either memory had already been corrupted
before that point, or this would seem to indicate a bug in libxml2, not
necessarily pidgin.

Comment 1 James Ralston 2007-11-19 19:37:53 UTC

Also, running pidgin repeatedly, I got this on one of the runs:

$ /usr/bin/pidgin
libnm_glib_nm_state_cb: dbus returned an error.
  (org.freedesktop.DBus.Error.ServiceUnknown) The name
org.freedesktop.NetworkManager was not provided by any .service files
*** glibc detected *** /usr/bin/pidgin: double free or corruption (fasttop):
0x00000000007707d0 ***
======= Backtrace: =========
/lib64/libc.so.6[0x3f2f870412]
/lib64/libc.so.6(cfree+0x8c)[0x3f2f873b1c]
/usr/lib64/purple-2/libjabber.so.0(jabber_set_buddy_icon+0x4df)[0x2aaab425e87f]
/usr/lib64/purple-2/libjabber.so.0[0x2aaab425e961]
/usr/lib64/purple-2/libjabber.so.0(jabber_iq_parse+0x1c1)[0x2aaab4265a11]
/usr/lib64/purple-2/libjabber.so.0[0x2aaab4271a8a]
/usr/lib64/libxml2.so.2[0x3f3aa3ab3a]
/usr/lib64/libxml2.so.2(xmlParseChunk+0xa6c)[0x3f3aa4710c]
/usr/lib64/purple-2/libjabber.so.0(jabber_parser_process+0x28)[0x2aaab4271968]
/usr/lib64/purple-2/libjabber.so.0[0x2aaab426e534]
/usr/bin/pidgin[0x462cdf]
/lib64/libglib-2.0.so.0(g_main_context_dispatch+0x1b4)[0x3eeb82d224]
/lib64/libglib-2.0.so.0[0x3eeb83005d]
/lib64/libglib-2.0.so.0(g_main_loop_run+0x1ca)[0x3eeb83036a]
/usr/lib64/libgtk-x11-2.0.so.0(gtk_main+0xa3)[0x3c19f2d783]
/usr/bin/pidgin(main+0x8ec)[0x47a6ec]
/lib64/libc.so.6(__libc_start_main+0xf4)[0x3f2f81dab4]
/usr/bin/pidgin[0x429e69]
======= Memory map: ========
00400000-004cd000 r-xp 00000000 fd:02 2262026                           
/usr/bin/pidgin
006cc000-006df000 rw-p 000cc000 fd:02 2262026                           
/usr/bin/pidgin
006df000-00de7000 rw-p 006df000 00:00 0                                  [heap]
40000000-40001000 ---p 40000000 00:00 0 
40001000-40a01000 rw-p 40001000 00:00 0 
31a3c00000-31a3c41000 r-xp 00000000 fd:02 65793                         
/usr/lib64/libpango-1.0.so.0.1600.4
31a3c41000-31a3e40000 ---p 00041000 fd:02 65793                         
/usr/lib64/libpango-1.0.so.0.1600.4
31a3e40000-31a3e43000 rw-p 00040000 fd:02 65793                         
/usr/lib64/libpango-1.0.so.0.1600.4
31a4400000-31a442e000 r-xp 00000000 fd:02 65870                         
/usr/lib64/libpangoft2-1.0.so.0.1600.4
31a442e000-31a462d000 ---p 0002e000 fd:02 65870                         
/usr/lib64/libpangoft2-1.0.so.0.1600.4
31a462d000-31a462f000 rw-p 0002d000 fd:02 65870                         
/usr/lib64/libpangoft2-1.0.so.0.1600.4
3233600000-3233608000 r-xp 00000000 fd:02 66259                         
/usr/lib64/libXi.so.6.0.0
3233608000-3233807000 ---p 00008000 fd:02 66259                         
/usr/lib64/libXi.so.6.0.0
3233807000-3233808000 rw-p 00007000 fd:02 66259                         
/usr/lib64/libXi.so.6.0.0
357cc00000-357ccf0000 r-xp 00000000 fd:02 72981                         
/usr/lib64/libpurple.so.0.2.2
357ccf0000-357ceef000 ---p 000f0000 fd:02 72981                         
/usr/lib64/libpurple.so.0.2.2
357ceef000-357cef7000 rw-p 000ef000 fd:02 72981                         
/usr/lib64/libpurple.so.0.2.2
357cef7000-357cefa000 rw-p 357cef7000 00:00 0 
357d000000-357d071000 r-xp 00000000 fd:02 69138                         
/usr/lib64/libgnomevfs-2.so.0.1800.1
357d071000-357d271000 ---p 00071000 fd:02 69138                         
/usr/lib64/libgnomevfs-2.so.0.1800.1
357d271000-357d276000 rw-p 00071000 fd:02 69138                         
/usr/lib64/libgnomevfs-2.so.0.1800.1
357d400000-357d416000 r-xp 00000000 fd:02 66916                         
/usr/lib64/libgnome-2.so.0.1800.0
357d416000-357d615000 ---p 00016000 fd:02 66916                         
/usr/lib64/libgnome-2.so.0.1800.0
357d615000-357d617000 rw-p 00015000 fd:02 66916                         
/usr/lib64/libgnome-2.so.0.1800.0
357dc00000-357dc22000 r-xp 00000000 fd:02 72570                         
/usr/lib64/libedata-book-1.2.so.2.4.0
357dc22000-357de21000 ---p 00022000 fd:02 72570                         
/usr/lib64/libedata-book-1.2.so.2.4.0
357de21000-357de25000 rw-p 00021000 fd:02 72570                         
/usr/lib64/libedata-book-1.2.so.2.4.0
357e800000-357e831000 r-xp 00000000 fd:02 73148                         
/usr/lib64/librsvg-2.so.2.16.1
357e831000-357ea31000 ---p 00031000 fd:02 73148                         
/usr/lib64/librsvg-2.so.2.16.1
357ea31000-357ea33000 rw-p 00031000 fd:02 73148                         
/usr/lib64/librsvg-2.so.2.16.1
357ec00000-357ec36000 r-xp 00000000 fd:02 67451                         
/usr/lib64/libebook-1.2.so.9.0.1
357ec36000-357ee35000 ---p 00036000 fd:02 67451                         
/usr/lib64/libebook-1.2.so.9.0.1
357ee35000-357ee3b000 rw-p 00035000 fd:02 67451                         
/usr/lib64/libebook-1.2.so.9.0.1
357ee3b000-357ee3c000 rw-p 357ee3b000 00:00 0 
357f000000-357f054000 r-xp 00000000 fd:02 72676                         
/usr/lib64/libcamel-1.2.so.10.0.0
357f054000-357f253000 ---p 00054000 fd:02 72676                         
/usr/lib64/libcamel-1.2.so.10.0.0
357f253000-357f258000 rw-p 00053000 fd:02 72676                         
/usr/lib64/libcamel-1.2.so.10.0.0
358fe00000-358ff25000 r-xp 00000000 fd:01 163894                        
/lib64/libcrypto.so.0.9.8b
358ff25000-3590125000 ---p 00125000 fd:01 163894                        
/lib64/libcrypto.so.0.9.8b
3590125000-3590144000 rw-p 00125000 fd:01 163894                        
/lib64/libcrypto.so.0.9.8b
3590144000-3590148000 rw-p 3590144000 00:00 0 
3590200000-3590207000 r-xp 00000000 fd:02 70090                         
/usr/lib64/libpopt.so.0.0.0
3590207000-3590407000 ---p 00007000 fd:02 70090                         
/usr/lib64/libpopt.so.0.0.0
3590407000-3590408000 rw-p 00007000 fd:02 70090                         
/usr/lib64/libpopt.so.0.0.0
3590600000-3590643000 r-xp 00000000 fd:01 163896                        
/lib64/libssl.so.0.9.8b
3590643000-3590843000 ---p 00043000 fd:01 163896                        
/lib64/libssl.so.0.9.8b
3590843000-3590849000 rw-p 00043000 fd:01 163896                        
/lib64/libssl.so.0.9.8b
3592600000-3592628000 r-xp 00000000 fd:02 65820                         
/usr/lib64/libedataserver-1.2.so.9.0.0
3592628000-3592828000 ---p 00028000 fd:02 65820                         
/usr/lib64/libedataserver-1.2.so.9.0.0
3592828000-359282a000 rw-p 00028000 fd:02 65820                         
/usr/lib64/libedataserver-1.2.so.9.0.0
36c4000000-36c4054000 r-xp 00000000 fd:02 73388                         
/usr/lib64/libsoftokn3.so
36c4054000-36c4253000 ---p 00054000 fd:02 73388                  Aborted (core
dumped)

Comment 2 James Ralston 2007-11-19 19:48:13 UTC

Aha; I managed to get pidgin to crash when running with MALLOC_CHECK_=2.  Here's
the backtrace:

(gdb) thread apply all backtrace full

Thread 2 (process 5571):
#0  0x0000003f2f8c82e6 in *__GI___poll (fds=0x7b10e0, nfds=2, timeout=-1)
    at ../sysdeps/unix/sysv/linux/poll.c:87
        oldtype = 0
        result = <value optimized out>
#1  0x0000003eeb82feae in g_main_context_iterate (context=0x79d7c0, block=1, 
    dispatch=1, self=<value optimized out>) at gmain.c:2979
        max_priority = 2147483647
        timeout = -1
        some_ready = <value optimized out>
        nfds = 2
        allocated_nfds = <value optimized out>
        fds = (GPollFD *) 0x7b10e0
        __PRETTY_FUNCTION__ = "g_main_context_iterate"
#2  0x0000003eeb83036a in IA__g_main_loop_run (loop=0x7bafe0) at gmain.c:2881
        got_ownership = <value optimized out>
        self = (GThread *) 0x77a710
        __PRETTY_FUNCTION__ = "IA__g_main_loop_run"
#3  0x000000390e803393 in libnm_glib_dbus_worker (user_data=0x77a460)
    at libnm_glib.c:425
        ctx = <value optimized out>
        __PRETTY_FUNCTION__ = "libnm_glib_dbus_worker"
#4  0x0000003eeb849354 in g_thread_create_proxy (data=0x77a710)
    at gthread.c:594
        __PRETTY_FUNCTION__ = "g_thread_create_proxy"
#5  0x0000003f318062f7 in start_thread (arg=<value optimized out>)
    at pthread_create.c:296
        __res = <value optimized out>
        pd = (struct pthread *) 0x40a00950
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {1084229968, 
        8700715749864488798, 0, 1084229968, 1084231680, 4096, 
        8700857311950913374, 8701312785833508702}, mask_was_saved = 0}}, 
  priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, 
      canceltype = 0}}}
        not_first_call = 0
        robust = <value optimized out>
#6  0x0000003f2f8d0fbd in clone () from /lib64/libc.so.6
        fstab_state = {fs_fp = 0x0, fs_buffer = 0x0, fs_mntres = {
    mnt_fsname = 0x0, mnt_dir = 0x0, mnt_type = 0x0, mnt_opts = 0x0, 
    mnt_freq = 0, mnt_passno = 0}, fs_ret = {fs_spec = 0x0, fs_file = 0x0, 
    fs_vfstype = 0x0, fs_mntops = 0x0, fs_type = 0x0, fs_freq = 0, 
    fs_passno = 0}}
        __elf_set___libc_subfreeres_element_fstab_free__ = (
    const void *) 0x3f2f907360

Thread 1 (process 5570):
#0  0x0000003f2f8305c5 in *__GI_raise (sig=<value optimized out>)
    at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
        pid = <value optimized out>
        selftid = 0
#1  0x0000003f2f832070 in *__GI_abort () at abort.c:88
        act = {__sigaction_handler = {sa_handler = 0xee28d0, 
    sa_sigaction = 0xee28d0}, sa_mask = {__val = {14552944, 15608016, 0, 24, 
      14209728, 4294967295, 14552944, 15608016, 271383308128, 140735761460096, 
      271380331152, 24, 270239282257, 8, 15607568, 14571296}}, 
  sa_flags = 15588800, sa_restorer = 0x7fff9911abc0}
        sigs = {__val = {32, 0 <repeats 15 times>}}
#2  0x0000003f2f8742cc in free_check (mem=0xde5720, 
    caller=<value optimized out>) at malloc.c:5892
        p = (mchunkptr) 0x0
#3  0x0000003f2f873ab7 in *__GI___libc_free (mem=0x6) at malloc.c:3586
        ar_ptr = <value optimized out>
        p = <value optimized out>
        hook = (void (*)(void *, const void *)) 0
#4  0x00002aaab425e87f in jabber_set_buddy_icon (gc=0xd161b0, img=0xee2110)
    at buddy.c:561
        publish = <value optimized out>
        metadata = <value optimized out>
        widthstring = <value optimized out>
        ctx = <value optimized out>
        digest = {8 '\b', 92 '\\', 21 '\025', 68 'D', 201 '�, 226 '�, 
  140 '\214', 255 '�', 58 ':', 199 '�, 27 '\033', 227 '�, 18 '\022', 63 '?', 
  203 '�, 34 '"', 233 '�, 153 '\231', 42 '*', 88 'X'}
        base64avatar = <value optimized out>
        item = <value optimized out>
        data = <value optimized out>
        info = (xmlnode *) 0xee2710
        lengthstring = 0x15c2 <Address 0x15c2 out of bounds>
        heightstring = <value optimized out>
        hash = <value optimized out>
        gpresence = <value optimized out>
        status = <value optimized out>
#5  0x00002aaab425e961 in jabber_vcard_save_mine (js=0xd163a0, 
    packet=<value optimized out>, data=<value optimized out>) at buddy.c:1149
        vcard = <value optimized out>
        txt = <value optimized out>
        img = (PurpleStoredImage *) 0xee2110
#6  0x00002aaab4265a11 in jabber_iq_parse (js=0xd163a0, packet=0xee2cd0)
    at iq.c:326
        query = (xmlnode *) 0x0
        error = <value optimized out>
        x = <value optimized out>
        xmlns = <value optimized out>
        type = 0xedec80 "result"
        id = 0xe2b080 "purple6d9f2a1f"
        from = 0x0
        jih = <value optimized out>
#7  0x00002aaab4271a8a in jabber_parser_element_end_libxml (user_data=0x15c2, 
    element_name=<value optimized out>, 
    prefix=0x6 <Address 0x6 out of bounds>, 
    namespace=0xffffffffffffffff <Address 0xffffffffffffffff out of bounds>)
    at parser.c:116
        packet = (xmlnode *) 0xee2cd0
#8  0x0000003f3aa3ab3a in xmlParseEndTag2 (ctxt=0xedc830, prefix=0x0, 
    URI=0xdbbc17 "jabber:client", line=<value optimized out>, nsNr=0, tlen=1)
    at parser.c:8305
        name = (const xmlChar *) 0x1 <Address 0x1 out of bounds>
#9  0x0000003f3aa4710c in xmlParseChunk__internal_alias (ctxt=0xedc830, 
    chunk=<value optimized out>, size=<value optimized out>, terminate=0)
    at parser.c:10048
        prefix = (
    const xmlChar *) 0xdfaf20000099bf00 <Address 0xdfaf20000099bf00 out of bounds>
        URI = (const xmlChar *) 0xdbbd5c "vcard-temp"
        nsNr = 15616064
        end_in_lf = 0
#10 0x00002aaab4271968 in jabber_parser_process (js=0xd163a0, 
    buf=0x15c2 <Address 0x15c2 out of bounds>, len=6) at parser.c:195
No locals.
#11 0x00002aaab426e534 in jabber_recv_cb_ssl (data=0xd161b0, gsc=0xd62c80, 
    cond=<value optimized out>) at jabber.c:400
        gc = <value optimized out>
        js = (JabberStream *) 0xd163a0
        len = 6
        buf =
"LAJES0kIzthirVyH0hmOukVAd4YK1nWyhYKxnvFAtT/va3p59++u9PPf2/z056hnv0SAuTEROwXCyinVDpAj+GgJy3bwsiZw+mPJuKL2bhC6jle3LSVh/Z9l5+xibQFmLu+0ZKpRGbQ81eQ8/ZBFoO3FDpThl6nwp3SE8+aqTmgnpMlMTCyDfT85O/AajKwifpuHgDRD"...
#12 0x0000000000462cdf in pidgin_io_invoke (source=<value optimized out>, 
    condition=<value optimized out>, data=0xc25be0) at gtkeventloop.c:78
        purple_cond = PURPLE_INPUT_READ
#13 0x0000003eeb82d224 in IA__g_main_context_dispatch (context=0x70a880)
    at gmain.c:2045
No locals.
#14 0x0000003eeb83005d in g_main_context_iterate (context=0x70a880, block=1, 
    dispatch=1, self=<value optimized out>) at gmain.c:2677
        got_ownership = <value optimized out>
        max_priority = 2147483647
        timeout = 801
        some_ready = 1
        nfds = <value optimized out>
        allocated_nfds = <value optimized out>
        fds = (GPollFD *) 0xd16d50
        __PRETTY_FUNCTION__ = "g_main_context_iterate"
#15 0x0000003eeb83036a in IA__g_main_loop_run (loop=0xd169c0) at gmain.c:2881
        got_ownership = <value optimized out>
        self = (GThread *) 0x6df470
        __PRETTY_FUNCTION__ = "IA__g_main_loop_run"
#16 0x0000003c19f2d783 in IA__gtk_main () at gtkmain.c:1154
        tmp_list = (GList *) 0x8d3940
        functions = (GList *) 0x0
        init = (GtkInitFunction *) 0x6f8800
        loop = (GMainLoop *) 0xd169c0
#17 0x000000000047a6ec in main (argc=1, argv=0x7fff9911d558) at gtkmain.c:853
        saved_status = <value optimized out>
        opt_help = <value optimized out>
        opt_login = 0
        opt_nologin = 0
        opt_version = <value optimized out>
        opt_si = 1
        opt_config_dir_arg = 0x0
        opt_login_arg = 0x0
        opt_session_arg = 0x0
        search_path = <value optimized out>
        accounts = <value optimized out>
        sigset = {__val = {91143, 0 <repeats 15 times>}}
        prev_sig_disp = <value optimized out>
        errmsg =
"\220\001\000\000\000\000\000\000\b\000\000\000\000\000\000\000P�d\004\000\000\000�\a\000\000\000\000\000��?\000\000\000��?\000\000\000t%\000\000\000\000\000\000t%\000\000\000\000\000\000\004\000\000\000\000\000\000\000P�021\231�\177\000\000�\021\231�\177\000\000�A/?",
'\0' <repeats 11 times>,
"\020\000\000\000\000\000\000\000x�*\000\000��@/?\000\000\000����*\000\000\230g���*\000\000Pl���*\000\000\020q���*\000\000����*\000\000xz���*\000\0008\177���*\000\000�203���*\000\000�\210���*\000\000p"...
        segfault_message_tmp = <value optimized out>
        error = (GError *) 0x0
        opt = <value optimized out>
        gui_check = <value optimized out>
        debug_enabled = <value optimized out>
        migration_failed = <value optimized out>
        active_accounts = <value optimized out>
        long_options = {{name = 0x4bb931 "config", has_arg = 1, flag = 0x0, 
    val = 99}, {name = 0x4ab299 "debug", has_arg = 0, flag = 0x0, val = 100}, {
    name = 0x4ae594 "help", has_arg = 0, flag = 0x0, val = 104}, {
    name = 0x4ab551 "login", has_arg = 2, flag = 0x0, val = 108}, {
    name = 0x4b8208 "multiple", has_arg = 0, flag = 0x0, val = 109}, {
    name = 0x4b8211 "nologin", has_arg = 0, flag = 0x0, val = 110}, {
    name = 0x4bb927 "session", has_arg = 1, flag = 0x0, val = 115}, {
    name = 0x4b005b "version", has_arg = 0, flag = 0x0, val = 118}, {
    name = 0x0, has_arg = 0, flag = 0x0, val = 0}}

Frame 4 is where control is passed into malloc() land:

(gdb) frame 4
#4  0x00002aaab425e87f in jabber_set_buddy_icon (gc=0xd161b0, 
    img=0xee2110) at buddy.c:561

(gdb) list
556                                     widthstring = g_strdup_printf("%u", width);
557                                     xmlnode_set_attrib(info, "width",
widthstring);
558                                     g_free(widthstring);
559                                     heightstring = g_strdup_printf("%u",
height);
560                                     xmlnode_set_attrib(info, "height",
heightstring);
561                                     g_free(lengthstring);
562
563                                     /* publish the metadata */
564                                    
jabber_pep_publish((JabberStream*)gc->proto_data, publish);
565

I strongly suspect the g_free() call on line 561 is a double-free.

Comment 3 Warren Togami 2007-11-19 20:54:28 UTC

At no point do you mention the exact package version of pidgin.

rpm -q pidgin

?

Comment 4 James Ralston 2007-11-19 21:18:12 UTC

The latest from fedora-updates (currently pidgin-2.2.2-1.fc7).

(I already looked for a more recent version in Rawhide, but found none.)

Comment 5 Stu Tomlinson 2007-11-19 22:03:05 UTC

good catch and thanks for doing the legwork in debugging the problem. This is
fixed upstream now for 2.3.0 due out soonish. Patch is available here, which
might apply to 2.2.2:
http://developer.pidgin.im/viewmtn/revision/diff/110e884c24fe3779369c410f3ad805a500c8ad79/with/374a8877bfa4fa06b384482815befe37f2c72b9b
(no idea why I can't make viewmtn just give me a plain diff file).

Comment 6 James Ralston 2007-12-06 18:55:33 UTC

Warren, do you have any intention of backporting that patch to 2.2.2, or are you
just going to wait for 2.3.0?

Comment 7 Warren Togami 2007-12-06 20:03:31 UTC

Waiting for 2.3.1 which should be real soon now.

Comment 8 Fedora Update System 2007-12-10 20:43:37 UTC

pidgin-2.3.1-1.fc7 has been pushed to the Fedora 7 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update pidgin'

Comment 9 Fedora Update System 2008-01-07 01:18:07 UTC

pidgin-2.3.1-1.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.