Bug 135859 - glibc reports double-free/memory corruption with mc and Korean UTF-8 (specspo)
glibc reports double-free/memory corruption with mc and Korean UTF-8 (specspo)
Product: Fedora
Classification: Fedora
Component: rpm (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Jeff Johnson
Mike McLean
: 137399 (view as bug list)
Depends On:
Blocks: FC3Blocker
  Show dependency treegraph
Reported: 2004-10-15 10:54 EDT by Paul Nasrat
Modified: 2007-11-30 17:10 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2004-10-31 13:42:17 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Core (117.23 KB, application/x-bzip2)
2004-10-28 04:32 EDT, Paul Nasrat
no flags Details

  None (edit)
Description Paul Nasrat 2004-10-15 10:54:58 EDT
Build Identifier: 

Newer glibc have checks - aborting programs with double free.  A case of this
with rpm was mentioned on #fedora-devel.

Reproducible: Always
Steps to Reproduce:
1. LANG=ko_KR.UTF8 rpm --dbpath /usr/lib/rpmdb/i386-redhat-linux/redhat/ -qi mc

Actual Results:  
*** glibc detected *** double free or corruption: 0x0992cd68 ***

Expected Results:  
Lovely information about mc
Comment 1 Paul Nasrat 2004-10-15 11:06:02 EDT

#0  0x0017b782 in _dl_sysinfo_int80 () from /lib/ld-linux.so.2
#1  0x0062e625 in raise () from /lib/tls/libc.so.6
#2  0x0062ffe9 in abort () from /lib/tls/libc.so.6
#3  0x006675eb in malloc_printerr () from /lib/tls/libc.so.6
#4  0x0066808a in free () from /lib/tls/libc.so.6
#5  0x0023cec8 in singleSprintf (hsa=0xfeec6360, token=0x82195d8, element=0)
    at header.c:141
#6  0x0023cfb4 in singleSprintf (hsa=0xfeec6360, token=0x8215128, element=0)
    at header.c:3250
#7  0x0023d343 in headerSprintf (h=0x0,
    fmt=0x81cf898 "Name        : %-27{NAME}  Relocations:
%|PREFIXES?{[%{PREFIXES} ]}:{(not relocatable)}|\\nVersion     : %-27{VERSION} 
     Vendor: %{VENDOR}\\nRelease     : %-27{RELEASE}   Build Date:
    tbltags=0x6, extensions=0x6, errmsg=0xfeec644c) at header.c:3462
#8  0x00d80e96 in showQueryPackage (qva=0xdb1960, ts=0x0, h=0x81fca90)
    at hdrinline.h:24
#9  0x00d812d1 in rpmcliShowMatches (qva=0xdb1960, ts=0x81cf2d8) at query.c:367
#10 0x00d816de in rpmQueryVerify (qva=0xdb1960, ts=0x81cf2d8,
    arg=0xfef689e5 "mc") at query.c:771
#11 0x00d82452 in rpmcliQuery (ts=0x81cf2d8, qva=0xdb1960, argv=0x81bac24)
    at query.c:831
#12 0x080497ac in main (argc=6, argv=0xfeec76c4) at rpmqv.c:789
#13 0x0061bb03 in __libc_start_main () from /lib/tls/libc.so.6
Comment 2 Jeff Johnson 2004-10-15 18:20:06 EDT
I'm still missing some tidbit to reproduce this.

Currently using fc3 glibc-2.3.3-68 ...
Comment 3 Paul Nasrat 2004-10-18 04:50:49 EDT
I installed korean support group prior to testing:

Comment 4 Paul Nasrat 2004-10-18 05:38:10 EDT
Removed the non glibc packages above:

[pauln@anu ~]$ rpm -q mc
[pauln@anu ~]$ LANG=ko_KR.UTF-8 rpm -qi mc
*** glibc detected *** double free or corruption: 0x08493c88 ***

If need be I can provide ssh access to the box
Comment 5 Paul Nasrat 2004-10-28 03:44:15 EDT
*** Bug 137399 has been marked as a duplicate of this bug. ***
Comment 6 Paul Nasrat 2004-10-28 03:47:38 EDT
Move blocker/CC from dupe
Comment 7 Paul Nasrat 2004-10-28 03:54:42 EDT
The specific package changes I guess depending on initial setup  (my
package is now jpackage-utils

LANG=ko_KR.UTF-8 rpm -qia 

is probably the reliable reproducer.  Based on the fact that the rogue
package now does not have any translated strings, I'm guessing it's
something like the date formatting. Can you reproduce with:

LANG=ko_KR.UTF-8 LC_TIME=C rpm -qia (or translated package).
Comment 8 Paul Nasrat 2004-10-28 04:32:35 EDT
Created attachment 105885 [details]


#6  0x009a0fb4 in singleSprintf (hsa=0xfee88960, token=0x8cf06b0, element=0)
    at header.c:3250
3250		    te = singleSprintf(hsa, spft, element);
(gdb) x 0x8cf0b0
0x8cf0b0 <pgpPrtSig+698>:	0xdc758bd4
(gdb) x 0xfee8960

Looks like signature is causing it in my instance:

LANG=ko_KR.UTF-8 rpm --qf
-q jpackage-utils
*** glibc detected *** double free or corruption: 0x0838ed88 ***

I wonder if it's the first signed package - which will vary a lot in rawhide.
Comment 11 Jeff Johnson 2004-10-31 13:02:51 EST
Thank you. I have not been able to reproduce, and was
expecting an entirely different issue, freeing header
date retrieved from dcgettext used for look aside retrieve.
Comment 13 Jeff Johnson 2004-10-31 13:24:21 EST
Thank you. I have not been able to reproduce, and was
expecting an entirely different issue, freeing header
date retrieved from dcgettext used for look aside retrieve.
Comment 14 Jeff Johnson 2004-10-31 13:42:17 EST
Fixed in rpm-4.3.2-19. Thanks for the patch.
Comment 15 Paul Nasrat 2004-11-01 03:20:54 EST
Confirmed fixed in 4.3.2-19 thanks.
Comment 16 Rajesh 2006-03-27 07:57:47 EST
In /var/log/messages i see:
*** glibc detected *** double free or corruption (!prev): 0x094c8f18 ***
What could be the cause of this and how can it be resolved.

Note You need to log in before you can comment on or make changes to this bug.