Bug 609187

Summary: [abrt] dconf-0.4.1-1: raise: Process /usr/libexec/dconf-service was killed by signal 6 (SIGABRT)
Product: [Fedora] Fedora Reporter: Matthew Garrett <mjg>
Component: dconfAssignee: Matthias Clasen <mclasen>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: rawhideCC: jfeeney, mclasen, richard
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: abrt_hash:351f962a96b7f7558eae66b02ecc2909ecff182a
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-07-12 17:44:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
File: backtrace
none
Plausible fix
none
Fixed patch none

Description Matthew Garrett 2010-06-29 15:38:16 UTC 
abrt version: 1.1.5
architecture: x86_64
Attached file: backtrace
cmdline: /usr/libexec/dconf-service
component: dconf
crash_function: raise
executable: /usr/libexec/dconf-service
global_uuid: 351f962a96b7f7558eae66b02ecc2909ecff182a
kernel: 2.6.35-0.2.rc3.git0.fc14.x86_64
package: dconf-0.4.1-1
rating: 2
reason: Process /usr/libexec/dconf-service was killed by signal 6 (SIGABRT)
release: Fedora release 14 (Rawhide)
time: 1277825776
uid: 500

How to reproduce
-----
Running gsettings-data-convert gives the following output:

Failed to get GConf key '"d"> = /apps/gnome-power-manager/backlight/brightness_ac': Bad key or directory name: ""d"> = /apps/gnome-power-manager/backlight/brightness_ac": Must begin with a slash '/'
*** glibc detected *** gsettings-data-convert: realloc(): invalid next size: 0x00000000016291e0 ***

and then dconf crashes. gsettings-data-convert then hangs.
Comment 1 Matthew Garrett 2010-06-29 15:38:18 UTC 
Created attachment 427713 [details]
File: backtrace
Comment 2 Matthew Garrett 2010-06-29 19:36:39 UTC 
Created attachment 427769 [details]
Plausible fix

We reallocate length+1, but converted is an array of gchar * and so we walk off the end of the array.
Comment 3 Matthew Garrett 2010-06-29 20:00:42 UTC 
Hm. Confused now. This seems to work if I run the libtool-provided shell script for gsettings-data-convert, but not if I run the actual binary that gets built.
Comment 4 Matthew Garrett 2010-06-29 20:22:17 UTC 
Created attachment 427787 [details]
Fixed patch

Oh, because I'm an idiot. This one seems to work better.
Comment 5 Matthias Clasen 2010-07-12 17:44:02 UTC 
Committed this upstream now, thanks.