Bug 509582

Summary: Thunderbird crashes on cut and paste
Product: [Fedora] Fedora Reporter: Mario Torre <neugens>
Component: thunderbirdAssignee: Martin Stransky <stransky>
Status: CLOSED UPSTREAM QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 11CC: etheban, frankly3d, gecko-bugs-nobody, mads, mcepl, sandro, stransky, subscribed-lists, tamisoft
Target Milestone: ---Keywords: Patch
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-07-15 13:44:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Proposed Fix
none
gdb output
none
gdb session output none

Description Mario Torre 2009-07-03 18:39:21 UTC 
Description of problem:

Thunderbird on Fedora 11 crashes with a segfault when pasting code on the text pane while writing a mail, both with the middle mouse button or from the clipboard using standard menu copy and paste. The crash doesn't occur reliably, but it's easy to reproduce. The system is a 64 bit install, but I've not tested with a 32 bit one (nor with a 32 bit package). Also, the crash I've experienced only happens in the text area, not for example in the "subject" text field or in the various "to", "cc" etc text fields. Finally, I've only tried on the Gnome destktop.

Version-Release number of selected component (if applicable):

thunderbird-3.0-2.3.beta2.fc11.x86_64

How reproducible:

Cut and paste code from other applications.

Steps to Reproduce:
1. Write a new mail
2. Copy some text from another applicaiton, i.e. gedit
3. paste the text on the text pane in the mail window.
  
Actual results:

Text is pasted

Expected results:

Segfault.

Additional info:

The bug seems to be related to a call to strcmp with the first argument passed as NULL. I'm not sure if strcmp should survive a NULL argument, but I did some simple test on linux and I can indeed pass a NULL argument happily, but of course this doesn't prove much as the test were too simple. I say this because it may hide a glibc bug but honestly I didn't really checked deep enough.

The code that fails is this in

thunderbird-3.0/mozilla/widget/src/gtk2/nsClipboard.cpp:

for (PRInt32 j = 0; j < n_targets; j++) {
   gchar *atom_name = gdk_atom_name(targets[j]);
   if (!strcmp(atom_name, aFlavorList[i]))
     *_retval = PR_TRUE;

   // X clipboard wants image/jpeg, not image/jpg
   if (!strcmp(aFlavorList[i], kJPEGImageMime) &
      ...

(line 449)

where the NULL argument is atom_name returned by gdk_atom_name.

Attached is a patch bypass this problem, but there are other places where a NULL argument may be passed to strcmp in the same file.
Comment 1 Mario Torre 2009-07-03 18:40:38 UTC 
Created attachment 350452 [details]
Proposed Fix
Comment 2 Mario Torre 2009-07-03 18:42:02 UTC 
I'm not sure if this is a general problem in thunderbird, the proposed patch may be sent upstream, but honestly I've not contacted upstream about the issue.
Comment 3 Matěj Cepl 2009-07-03 22:13:52 UTC 
Hmm, cannot reproduce with
thunderbird-3.0-2.4.b3pre.hg.6a6386c16e98.fc11.x86_64 (from http://koji.fedoraproject.org/koji/buildinfo?buildID=102079). Can I ask you for upgrade and retesting (backups of ~/.thunderbird are really good idea)?

If you can reproduce it, could we get full backtrace from gdb attached to this bug report, please?

Thank you very much for your cooperation.
Comment 4 Mario Torre 2009-07-04 01:08:41 UTC 
Same crash. I forgot to install the debug package, but you can see that it crashed in the same place. Attached is the debugger output.
Comment 5 Mario Torre 2009-07-04 01:09:27 UTC 
Created attachment 350468 [details]
gdb output
Comment 6 Mario Torre 2009-07-04 09:49:38 UTC 
I played with thunderbird-3.0-2.4.b3pre.hg.6a6386c16e98.fc11.x86_64 and I can still reproduce the problem, although is less frequent. I attach an, hopefully, more meaningful debugger output.
Comment 7 Mario Torre 2009-07-04 09:50:24 UTC 
Created attachment 350485 [details]
gdb session output
Comment 8 Martin Stransky 2009-07-07 10:11:29 UTC 
Taking, it's dupe of one my bug.
Comment 9 Martin Stransky 2009-07-15 13:44:14 UTC 
Already reported as https://bugzilla.mozilla.org/show_bug.cgi?id=495392
Comment 10 Matěj Cepl 2009-11-15 14:45:28 UTC 
*** Bug 537564 has been marked as a duplicate of this bug. ***
Comment 11 Matěj Cepl 2009-11-19 21:57:34 UTC 
*** Bug 538902 has been marked as a duplicate of this bug. ***
Comment 12 Matěj Cepl 2009-11-19 22:00:21 UTC 
*** Bug 538899 has been marked as a duplicate of this bug. ***
Comment 13 Matěj Cepl 2009-12-08 01:50:16 UTC 
*** Bug 543528 has been marked as a duplicate of this bug. ***
Comment 14 Matěj Cepl 2009-12-15 00:07:37 UTC 
*** Bug 545800 has been marked as a duplicate of this bug. ***
Comment 15 Matěj Cepl 2009-12-15 00:07:37 UTC 
*** Bug 544393 has been marked as a duplicate of this bug. ***
Comment 16 Matěj Cepl 2009-12-22 01:34:04 UTC 
*** Bug 546937 has been marked as a duplicate of this bug. ***
Comment 17 Chris Campbell 2010-03-13 14:53:38 UTC 
*** Bug 571620 has been marked as a duplicate of this bug. ***