Bug 149984 - gaim aborting in gadu-gadu module
gaim aborting in gadu-gadu module
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: gaim (Show other bugs)
rawhide
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Warren Togami
:
Depends On: 150429
Blocks:
  Show dependency treegraph
 
Reported: 2005-03-01 02:57 EST by Adam Szalkowski
Modified: 2007-11-30 17:11 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-03-11 22:50:38 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Adam Szalkowski 2005-03-01 02:57:56 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050224 Firefox/1.0.1 Firearachnid/1.0.1-1.3.1 (Fedora/1.0.1-1.3.1 rebrand)

Description of problem:
Gaim aborts when certain contacts go online.
gaimosd shows the notification message then gaim aborts.

In fact I see this behaviour only with one contact. others seem to work. the length of the name is 18 chars (some string buffer overflow?).

please see attached gdb output

Version-Release number of selected component (if applicable):
gaim-1.1.4-1

How reproducible:
Sometimes

Steps to Reproduce:
1. start gaim
2. wait until that gadu-gadu contact gets online
3.
  

Actual Results:  gaim aborting

Additional info:

gdb output:

bar 1
bar 2
bar 3
foo 1
*** glibc detected *** /usr/bin/gaim: free(): invalid next size (fast): 0x801e6c80 ***

Program received signal SIGABRT, Aborted.
[Switching to Thread -1217911104 (LWP 4088)]
0xb78a9a14 in raise () from /lib/tls/i686/libc.so.6
(gdb) bt
#0  0xb78a9a14 in raise () from /lib/tls/i686/libc.so.6
#1  0xb78aae50 in abort () from /lib/tls/i686/libc.so.6
#2  0xb78d7e6d in __libc_message () from /lib/tls/i686/libc.so.6
#3  0xb78dd853 in _int_free () from /lib/tls/i686/libc.so.6
#4  0xb78ddb93 in free () from /lib/tls/i686/libc.so.6
#5  0xb72e3161 in gg_free_event () from /usr/lib/gaim/libgg.so
#6  0xb72e7a8b in gaim_init_plugin () from /usr/lib/gaim/libgg.so
#7  0x8008a37a in gaim_gtkdialogs_remove_chat () from /usr/bin/gaim
#8  0xb79f675d in g_vasprintf () from /usr/lib/libglib-2.0.so.0
#9  0xb79d21e8 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#10 0xb79d3a08 in g_main_context_acquire () from /usr/lib/libglib-2.0.so.0
#11 0xb79d3d2f in g_main_loop_run () from /usr/lib/libglib-2.0.so.0
#12 0xb7c7b2de in gtk_main () from /usr/lib/libgtk-x11-2.0.so.0
#13 0x800b984d in main () from /usr/bin/gaim
Comment 1 Warren Togami 2005-03-01 03:08:55 EST
Is this a regression from previous gaim versions?
Comment 2 Adam Szalkowski 2005-03-01 03:36:16 EST
Yes, it seems to be a regression. Before gaim-1.1.3 I did not have this problem.
A few minutes ago I got another segfault from malloc in some other function.

Is there a package with debug info or do I have to rebuild?

Now trying without gaimosd. Maybe the plugin causes some memory corruption.
If the problem still occurs I'll fire up valgrind.
Comment 3 Adam Szalkowski 2005-03-01 03:58:45 EST
same behaviour without gaimosd.
valgrind/memcheck say this (but without debug info :/ ):

==14622== Memcheck, a memory error detector for x86-linux.
==14622== Copyright (C) 2002-2004, and GNU GPL'd, by Julian Seward et al.
==14622== Using valgrind-2.2.0, a program supervision framework for x86-linux.
==14622== Copyright (C) 2000-2004, and GNU GPL'd, by Julian Seward et al.
==14622== For more details, rerun with: -v
==14622== 
==14622== Syscall param write(buf) contains uninitialised or unaddressable byte(s)
==14622==    at 0x433F237E: __write_nocancel (in /lib/tls/i486/libc-2.3.4.so)
==14622==    by 0x434D8BA8: _X11TransWrite (in /usr/X11R6/lib/libX11.so.6.2)
==14622==    by 0x434BD7E8: (within /usr/X11R6/lib/libX11.so.6.2)
==14622==    by 0x434BD877: _XReply (in /usr/X11R6/lib/libX11.so.6.2)
==14622==  Address 0x1B9A8E00 is 128 bytes inside a block of size 16384 alloc'd
==14622==    at 0x1B907301: calloc (vg_replace_malloc.c:176)
==14622==    by 0x434ADAF5: XOpenDisplay (in /usr/X11R6/lib/libX11.so.6.2)
==14622==    by 0x42DD8393: gdk_display_open (in /usr/lib/libgdk-x11-2.0.so.0.600.2)
==14622==    by 0x42DBA7E0: gdk_display_open_default_libgtk_only (in
/usr/lib/libgdk-x11-2.0.so.0.600.2)
==14622== 
==14622== Syscall param write(buf) contains uninitialised or unaddressable byte(s)
==14622==    at 0x433F237E: __write_nocancel (in /lib/tls/i486/libc-2.3.4.so)
==14622==    by 0x435955E9: _IceTransWrite (in /usr/X11R6/lib/libICE.so.6.3)
==14622==    by 0x4358D50D: _IceWrite (in /usr/X11R6/lib/libICE.so.6.3)
==14622==    by 0x4358D5DE: IceFlush (in /usr/X11R6/lib/libICE.so.6.3)
==14622==  Address 0x1BCBFF64 is 12 bytes inside a block of size 1024 alloc'd
==14622==    at 0x1B907301: calloc (vg_replace_malloc.c:176)
==14622==    by 0x4358A789: IceOpenConnection (in /usr/X11R6/lib/libICE.so.6.3)
==14622==    by 0x435A221E: SmcOpenConnection (in /usr/X11R6/lib/libSM.so.6.0)
==14622==    by 0xBA1DF: session_init (in /usr/bin/gaim)
==14622== 
==14622== Syscall param write(buf) contains uninitialised or unaddressable byte(s)
==14622==    at 0x433F237E: __write_nocancel (in /lib/tls/i486/libc-2.3.4.so)
==14622==    by 0x434D8BA8: _X11TransWrite (in /usr/X11R6/lib/libX11.so.6.2)
==14622==    by 0x434BD7E8: (within /usr/X11R6/lib/libX11.so.6.2)
==14622==    by 0x434BEA7F: _XEventsQueued (in /usr/X11R6/lib/libX11.so.6.2)
==14622==  Address 0x1B9A8FC9 is 585 bytes inside a block of size 16384 alloc'd
==14622==    at 0x1B907301: calloc (vg_replace_malloc.c:176)
==14622==    by 0x434ADAF5: XOpenDisplay (in /usr/X11R6/lib/libX11.so.6.2)
==14622==    by 0x42DD8393: gdk_display_open (in /usr/lib/libgdk-x11-2.0.so.0.600.2)
==14622==    by 0x42DBA7E0: gdk_display_open_default_libgtk_only (in
/usr/lib/libgdk-x11-2.0.so.0.600.2)
==14622== 
==14622== Syscall param write(buf) contains uninitialised or unaddressable byte(s)
==14622==    at 0x433F237E: __write_nocancel (in /lib/tls/i486/libc-2.3.4.so)
==14622==    by 0x434D8BA8: _X11TransWrite (in /usr/X11R6/lib/libX11.so.6.2)
==14622==    by 0x434BD7E8: (within /usr/X11R6/lib/libX11.so.6.2)
==14622==    by 0x434A10E3: XFlush (in /usr/X11R6/lib/libX11.so.6.2)
==14622==  Address 0x1B9A9F24 is 4516 bytes inside a block of size 16384 alloc'd
==14622==    at 0x1B907301: calloc (vg_replace_malloc.c:176)
==14622==    by 0x434ADAF5: XOpenDisplay (in /usr/X11R6/lib/libX11.so.6.2)
==14622==    by 0x42DD8393: gdk_display_open (in /usr/lib/libgdk-x11-2.0.so.0.600.2)
==14622==    by 0x42DBA7E0: gdk_display_open_default_libgtk_only (in
/usr/lib/libgdk-x11-2.0.so.0.600.2)
==14622== 
==14622== Syscall param writev(vector[...]) contains uninitialised or
unaddressable byte(s)
==14622==    at 0x433F8CAB: writev (in /lib/tls/i486/libc-2.3.4.so)
==14622==    by 0x434D8945: (within /usr/X11R6/lib/libX11.so.6.2)
==14622==    by 0x434D8BEA: _X11TransWritev (in /usr/X11R6/lib/libX11.so.6.2)
==14622==    by 0x434BDEB5: _XSend (in /usr/X11R6/lib/libX11.so.6.2)
==14622==  Address 0x1B9A9450 is 1744 bytes inside a block of size 16384 alloc'd
==14622==    at 0x1B907301: calloc (vg_replace_malloc.c:176)
==14622==    by 0x434ADAF5: XOpenDisplay (in /usr/X11R6/lib/libX11.so.6.2)
==14622==    by 0x42DD8393: gdk_display_open (in /usr/lib/libgdk-x11-2.0.so.0.600.2)
==14622==    by 0x42DBA7E0: gdk_display_open_default_libgtk_only (in
/usr/lib/libgdk-x11-2.0.so.0.600.2)
==14622== 
==14622== Use of uninitialised value of size 4
==14622==    at 0x4337F225: _itoa_word (in /lib/tls/i486/libc-2.3.4.so)
==14622==    by 0x4338213E: _IO_vfprintf_internal (in /lib/tls/i486/libc-2.3.4.so)
==14622==    by 0x4339D107: _IO_vasprintf (in /lib/tls/i486/libc-2.3.4.so)
==14622==    by 0x42C4A644: g_vasprintf (in /usr/lib/libglib-2.0.so.0.600.2)
==14622== 
==14622== Use of uninitialised value of size 4
==14622==    at 0x4337F23C: _itoa_word (in /lib/tls/i486/libc-2.3.4.so)
==14622==    by 0x4338213E: _IO_vfprintf_internal (in /lib/tls/i486/libc-2.3.4.so)
==14622==    by 0x4339D107: _IO_vasprintf (in /lib/tls/i486/libc-2.3.4.so)
==14622==    by 0x42C4A644: g_vasprintf (in /usr/lib/libglib-2.0.so.0.600.2)
==14622== 
==14622== Conditional jump or move depends on uninitialised value(s)
==14622==    at 0x4338028F: _IO_vfprintf_internal (in /lib/tls/i486/libc-2.3.4.so)
==14622==    by 0x4339D107: _IO_vasprintf (in /lib/tls/i486/libc-2.3.4.so)
==14622==    by 0x42C4A644: g_vasprintf (in /usr/lib/libglib-2.0.so.0.600.2)
==14622==    by 0x42C3C164: g_strdup_vprintf (in /usr/lib/libglib-2.0.so.0.600.2)
==14622== 
==14622== Conditional jump or move depends on uninitialised value(s)
==14622==    at 0x433802E8: _IO_vfprintf_internal (in /lib/tls/i486/libc-2.3.4.so)
==14622==    by 0x4339D107: _IO_vasprintf (in /lib/tls/i486/libc-2.3.4.so)
==14622==    by 0x42C4A644: g_vasprintf (in /usr/lib/libglib-2.0.so.0.600.2)
==14622==    by 0x42C3C164: g_strdup_vprintf (in /usr/lib/libglib-2.0.so.0.600.2)
==14622== 
==14622== Conditional jump or move depends on uninitialised value(s)
==14622==    at 0x43380361: _IO_vfprintf_internal (in /lib/tls/i486/libc-2.3.4.so)
==14622==    by 0x4339D107: _IO_vasprintf (in /lib/tls/i486/libc-2.3.4.so)
==14622==    by 0x42C4A644: g_vasprintf (in /usr/lib/libglib-2.0.so.0.600.2)
==14622==    by 0x42C3C164: g_strdup_vprintf (in /usr/lib/libglib-2.0.so.0.600.2)
==14622== 
==14622== Syscall param write(buf) contains uninitialised or unaddressable byte(s)
==14622==    at 0x433F237E: __write_nocancel (in /lib/tls/i486/libc-2.3.4.so)
==14622==    by 0x1BEE9416: gg_send_packet (in /usr/lib/gaim/libgg.so)
==14622==    by 0x1BEEA9A8: gg_watch_fd (in /usr/lib/gaim/libgg.so)
==14622==    by 0x1BEEC78A: login_callback (in /usr/lib/gaim/libgg.so)
==14622==  Address 0x1C2A8818 is 24 bytes inside a block of size 39 alloc'd
==14622==    at 0x1B9073EE: realloc (vg_replace_malloc.c:197)
==14622==    by 0x1BEE93A0: gg_send_packet (in /usr/lib/gaim/libgg.so)
==14622==    by 0x1BEEA9A8: gg_watch_fd (in /usr/lib/gaim/libgg.so)
==14622==    by 0x1BEEC78A: login_callback (in /usr/lib/gaim/libgg.so)
==14622== 
==14622== Invalid read of size 4
==14622==    at 0x1BEEDF30: (within /usr/lib/gaim/libgg.so)
==14622==    by 0x8A379: (within /usr/bin/gaim)
==14622==    by 0x42C4A75C: (within /usr/lib/libglib-2.0.so.0.600.2)
==14622==    by 0x42C261E7: g_main_context_dispatch (in
/usr/lib/libglib-2.0.so.0.600.2)
==14622==  Address 0x1C2B9BA8 is 0 bytes after a block of size 128 alloc'd
==14622==    at 0x1B9073EE: realloc (vg_replace_malloc.c:197)
==14622==    by 0x1BEEAEC6: gg_watch_fd (in /usr/lib/gaim/libgg.so)
==14622==    by 0x1BEED9CF: (within /usr/lib/gaim/libgg.so)
==14622==    by 0x8A379: (within /usr/bin/gaim)
==14622== 
==14622== Invalid read of size 4
==14622==    at 0x1BEEDC1D: (within /usr/lib/gaim/libgg.so)
==14622==    by 0x8A379: (within /usr/bin/gaim)
==14622==    by 0x42C4A75C: (within /usr/lib/libglib-2.0.so.0.600.2)
==14622==    by 0x42C261E7: g_main_context_dispatch (in
/usr/lib/libglib-2.0.so.0.600.2)
==14622==  Address 0x1C2B9BAC is 4 bytes after a block of size 128 alloc'd
==14622==    at 0x1B9073EE: realloc (vg_replace_malloc.c:197)
==14622==    by 0x1BEEAEC6: gg_watch_fd (in /usr/lib/gaim/libgg.so)
==14622==    by 0x1BEED9CF: (within /usr/lib/gaim/libgg.so)
==14622==    by 0x8A379: (within /usr/bin/gaim)
==14643== 
==14643== ERROR SUMMARY: 14 errors from 2 contexts (suppressed: 275 from 2)
==14643== malloc/free: in use at exit: 867792 bytes in 13968 blocks.
==14643== malloc/free: 44854 allocs, 30886 frees, 3695421 bytes allocated.
==14643== For a detailed leak analysis,  rerun with: --leak-check=yes
==14643== For counts of detected errors, rerun with: -v
==14646== 
==14646== ERROR SUMMARY: 15 errors from 2 contexts (suppressed: 279 from 2)
==14646== malloc/free: in use at exit: 2039051 bytes in 33292 blocks.
==14646== malloc/free: 142598 allocs, 109306 frees, 29172154 bytes allocated.
==14646== For a detailed leak analysis,  rerun with: --leak-check=yes
==14646== For counts of detected errors, rerun with: -v
==14622== 
==14622== Invalid write of size 1
==14622==    at 0x1B906632: memcpy (mac_replace_strmem.c:298)
==14622==    by 0x1BEEAA46: gg_watch_fd (in /usr/lib/gaim/libgg.so)
==14622==    by 0x1BEED9CF: (within /usr/lib/gaim/libgg.so)
==14622==    by 0x8A379: (within /usr/bin/gaim)
==14622==  Address 0x1C35DACC is 0 bytes after a block of size 36 alloc'd
==14622==    at 0x1B906984: malloc (vg_replace_malloc.c:131)
==14622==    by 0x1BEEA126: gg_watch_fd (in /usr/lib/gaim/libgg.so)
==14622==    by 0x1BEED9CF: (within /usr/lib/gaim/libgg.so)
==14622==    by 0x8A379: (within /usr/bin/gaim)
==14622== 
==14622== Invalid write of size 1
==14622==    at 0x1B906638: memcpy (mac_replace_strmem.c:299)
==14622==    by 0x1BEEAA46: gg_watch_fd (in /usr/lib/gaim/libgg.so)
==14622==    by 0x1BEED9CF: (within /usr/lib/gaim/libgg.so)
==14622==    by 0x8A379: (within /usr/bin/gaim)
==14622==  Address 0x1C35DACD is 1 bytes after a block of size 36 alloc'd
==14622==    at 0x1B906984: malloc (vg_replace_malloc.c:131)
==14622==    by 0x1BEEA126: gg_watch_fd (in /usr/lib/gaim/libgg.so)
==14622==    by 0x1BEED9CF: (within /usr/lib/gaim/libgg.so)
==14622==    by 0x8A379: (within /usr/bin/gaim)
==14622== 
==14622== Invalid write of size 1
==14622==    at 0x1B90663E: memcpy (mac_replace_strmem.c:300)
==14622==    by 0x1BEEAA46: gg_watch_fd (in /usr/lib/gaim/libgg.so)
==14622==    by 0x1BEED9CF: (within /usr/lib/gaim/libgg.so)
==14622==    by 0x8A379: (within /usr/bin/gaim)
==14622==  Address 0x1C35DACE is 2 bytes after a block of size 36 alloc'd
==14622==    at 0x1B906984: malloc (vg_replace_malloc.c:131)
==14622==    by 0x1BEEA126: gg_watch_fd (in /usr/lib/gaim/libgg.so)
==14622==    by 0x1BEED9CF: (within /usr/lib/gaim/libgg.so)
==14622==    by 0x8A379: (within /usr/bin/gaim)
==14622== 
==14622== Invalid write of size 1
==14622==    at 0x1B906644: memcpy (mac_replace_strmem.c:301)
==14622==    by 0x1BEEAA46: gg_watch_fd (in /usr/lib/gaim/libgg.so)
==14622==    by 0x1BEED9CF: (within /usr/lib/gaim/libgg.so)
==14622==    by 0x8A379: (within /usr/bin/gaim)
==14622==  Address 0x1C35DACF is 3 bytes after a block of size 36 alloc'd
==14622==    at 0x1B906984: malloc (vg_replace_malloc.c:131)
==14622==    by 0x1BEEA126: gg_watch_fd (in /usr/lib/gaim/libgg.so)
==14622==    by 0x1BEED9CF: (within /usr/lib/gaim/libgg.so)
==14622==    by 0x8A379: (within /usr/bin/gaim)
==14622== 
==14622== Invalid write of size 1
==14622==    at 0x1B90665A: memcpy (mac_replace_strmem.c:305)
==14622==    by 0x1BEEAA46: gg_watch_fd (in /usr/lib/gaim/libgg.so)
==14622==    by 0x1BEED9CF: (within /usr/lib/gaim/libgg.so)
==14622==    by 0x8A379: (within /usr/bin/gaim)
==14622==  Address 0x1C35DAE4 is not stack'd, malloc'd or (recently) free'd

valgrind: vg_memory.c:839 (vgPlain_init_shadow_range): Assertion
`vgPlain_defined_init_shadow_page()' failed.
==14622==    at 0xB002C005: vgPlain_skin_assert_fail (vg_mylibc.c:1137)
==14622==    by 0xB002C004: assert_fail (vg_mylibc.c:1133)
==14622==    by 0xB002C042: vgPlain_core_assert_fail (vg_mylibc.c:1144)
==14622==    by 0xB002A24A: vgPlain_init_shadow_range (vg_memory.c:839)

sched status:

Thread 1: status = Runnable, associated_mx = 0x0, associated_cv = 0x0
==14622==    at 0x1B906EA5: free (vg_replace_malloc.c:153)
==14622==    by 0x42C2C410: g_free (in /usr/lib/libglib-2.0.so.0.600.2)
==14622==    by 0x1BDBF90A: (within
/usr/lib/gtk-2.0/2.4.0/loaders/libpixbufloader-png.so)
==14622==    by 0x437B6BE9: png_free (in /usr/lib/libpng12.so.0.1.2.8)


Note: see also the FAQ.txt in the source distribution.
It contains workarounds to several common problems.

If that doesn't help, please report this bug to: valgrind.kde.org

In the bug report, send all the above text, the valgrind
version, and what Linux distro you are using.  Thanks.
Comment 4 Adam Szalkowski 2005-03-01 10:19:22 EST
the bug is definitely in the gadu-gadu module, when I disable it there are no 
more aborts/segfaults. 
Comment 5 Luke Schierer 2005-03-01 20:04:40 EST
I compared the gadu-gadu code between 1.1.3 and 1.1.4, there was exactly 1 line
changed between these versions, and it could not cause this crash.

@@ -480,8 +480,7 @@ static void main_callback(gpointer data,
 			imsg = charset_convert(e->event.msg.message, "CP1250", "UTF-8");
 			gaim_str_strip_cr(imsg);
 			jmsg = gaim_escape_html(imsg);
-			/* e->event.msg.time - we don't know what this time is for */
-			serv_got_im(gc, user, jmsg, 0, time(NULL));
+			serv_got_im(gc, user, jmsg, 0, e->event.msg.time);
 			g_free(imsg);
 			g_free(jmsg);
 		}

shows the changed line. nothing to do with this crash. 

this crash however does look like 
https://sourceforge.net/tracker/index.php?func=detail&aid=999944&group_id=235&atid=100235
which appears to have been closed for lack of responce from the submitter. 

to be able to track this down, esp. since its very hard to use a protocol in
which the documentation is entirely polish, the users almost entirely
polish-speaking, and the website for which is also polish, we would need the
output of valgrind after having installed the debug info rpm.

at one point we had a developer regularly submitting patches and maintaining
this code.  he has since left the project and the gadu-gadu protocol has not
progressed since then except by the odd patch by users. 
Comment 6 Adam Szalkowski 2005-03-02 03:52:13 EST
Maybe the bug was already in version 1.1.3 which did not work at all on full 
rawhide systems. 
I think 1.1.2 was OK, or maybe just something in the server/client protocols 
changed? In fact it is only one user who causes the overflow. All others (got 
just one other gg contact) are fine (no valgrind output after status change). 
 
Installed the debug package and got the following interesting lines of 
valgrind output: 
gg: ** gg_watch_fd(...); 
gg: == GG_STATE_CONNECTED 
gg: ** gg_watch_fd_connected(...); 
gg: ** gg_recv_packet(...); 
gg: -- header recv(..., 8) = 8 
gg: -- body recv(..., 41) = 41 
gg: >> received packet (type=02):gg:  02gg:  00gg:  00gg:  00gg:  29gg:  00gg:  
00gg:  00gg:  d1gg:  3agg:  11gg:  00gg:  15gg:  00gg:  00gg:  00gg:  44gg:  
61gg:  61gg:  62gg:  20gg:  2dgg:  20gg:  52gg:  65gg:  64gg:  65gg:  6dgg:  
70gg:  74gg:  69gg:  6fgg:  6egg:  20gg:  53gg:  6fgg:  6egg:  67gg:  20gg: 
28gg:  44gg:  61gg:  61gg:  62gg:  20gg:  49gg:  49gg:  49gg:  29gg: 
gg: -- received a status change 
==6613== 
==6613== Invalid write of size 1 
==6613==    at 0x1B906632: memcpy (mac_replace_strmem.c:298) 
==6613==    by 0x1C30DA46: gg_watch_fd (string3.h:52) 
==6613==    by 0x1C3109CF: ??? (gg.c:451) 
==6613==    by 0x8A449: ??? (gtkeventloop.c:61) 
==6613==  Address 0x1CBF94A4 is 0 bytes after a block of size 36 alloc'd 
==6613==    at 0x1B906984: malloc (vg_replace_malloc.c:131) 
==6613==    by 0x1C30D126: gg_watch_fd (libgg.c:1217) 
==6613==    by 0x1C3109CF: ??? (gg.c:451) 
==6613==    by 0x8A449: ??? (gtkeventloop.c:61) 
==6613== 
==6613== Invalid write of size 1 
==6613==    at 0x1B906638: memcpy (mac_replace_strmem.c:299) 
==6613==    by 0x1C30DA46: gg_watch_fd (string3.h:52) 
==6613==    by 0x1C3109CF: ??? (gg.c:451) 
==6613==    by 0x8A449: ??? (gtkeventloop.c:61) 
==6613==  Address 0x1CBF94A5 is 1 bytes after a block of size 36 alloc'd 
==6613==    at 0x1B906984: malloc (vg_replace_malloc.c:131) 
==6613==    by 0x1C30D126: gg_watch_fd (libgg.c:1217) 
==6613==    by 0x1C3109CF: ??? (gg.c:451) 
==6613==    by 0x8A449: ??? (gtkeventloop.c:61) 
==6613== 
==6613== Invalid write of size 1 
==6613==    at 0x1B90663E: memcpy (mac_replace_strmem.c:300) 
==6613==    by 0x1C30DA46: gg_watch_fd (string3.h:52) 
==6613==    by 0x1C3109CF: ??? (gg.c:451) 
==6613==    by 0x8A449: ??? (gtkeventloop.c:61) 
==6613==  Address 0x1CBF94A6 is 2 bytes after a block of size 36 alloc'd 
==6613==    at 0x1B906984: malloc (vg_replace_malloc.c:131) 
==6613==    by 0x1C30D126: gg_watch_fd (libgg.c:1217) 
==6613==    by 0x1C3109CF: ??? (gg.c:451) 
==6613==    by 0x8A449: ??? (gtkeventloop.c:61) 
==6613== 
==6613== Invalid write of size 1 
==6613==    at 0x1B906644: memcpy (mac_replace_strmem.c:301) 
==6613==    by 0x1C30DA46: gg_watch_fd (string3.h:52) 
==6613==    by 0x1C3109CF: ??? (gg.c:451) 
==6613==    by 0x8A449: ??? (gtkeventloop.c:61) 
==6613==  Address 0x1CBF94A7 is 3 bytes after a block of size 36 alloc'd 
==6613==    at 0x1B906984: malloc (vg_replace_malloc.c:131) 
==6613==    by 0x1C30D126: gg_watch_fd (libgg.c:1217) 
==6613==    by 0x1C3109CF: ??? (gg.c:451) 
==6613==    by 0x8A449: ??? (gtkeventloop.c:61) 
==6613== 
==6613== Invalid write of size 1 
==6613==    at 0x1B90665A: memcpy (mac_replace_strmem.c:305) 
==6613==    by 0x1C30DA46: gg_watch_fd (string3.h:52) 
==6613==    by 0x1C3109CF: ??? (gg.c:451) 
==6613==    by 0x8A449: ??? (gtkeventloop.c:61) 
==6613==  Address 0x1CBF94AC is 8 bytes after a block of size 36 alloc'd 
==6613==    at 0x1B906984: malloc (vg_replace_malloc.c:131) 
==6613==    by 0x1C30D126: gg_watch_fd (libgg.c:1217) 
==6613==    by 0x1C3109CF: ??? (gg.c:451) 
==6613==    by 0x8A449: ??? (gtkeventloop.c:61) 
 
this leads me to libgg.c:1058 
 
	    case GG_STATUS: 
	    { 
		struct gg_status *s = (void *)p; 
 
		gg_debug(GG_DEBUG_MISC, "-- received a status change\n"); 
 
		if (h->length >= sizeof(*s)) { 
			e->type = GG_EVENT_STATUS; 
->			memcpy(&e->event.status, p, h->length); 
			e->event.status.uin = fix32(e->event.status.uin); 
			e->event.status.status = fix32
(e->event.status.status); 
		} 
		break; 
	    } 
 
and indeed, why are we overwriting event.status if h->length is LARGER than 
sizeof(event.status)? 
IMHO this line is causing the crash. 
 
there is also another block of output which seems rather harmless: 
 
g: main_callback enter: begin 
gg: ** gg_watch_fd(...); 
gg: == GG_STATE_CONNECTED 
gg: ** gg_watch_fd_connected(...); 
gg: ** gg_recv_packet(...); 
gg: -- header recv(..., 8) = 8 
gg: -- body recv(..., 36) = 36 
gg: >> received packet (type=11): **removed** 
gg: // gg_watch_fd_connected() received a notify reply 
==6613== 
==6613== Invalid read of size 4 
==6613==    at 0x1C310F30: ??? (gg.c:522) 
==6613==    by 0x8A449: ??? (gtkeventloop.c:61) 
==6613==    by 0x42C4A75C: (within /usr/lib/libglib-2.0.so.0.600.2) 
==6613==    by 0x42C261E7: g_main_context_dispatch 
(in /usr/lib/libglib-2.0.so.0.600.2) 
==6613==  Address 0x1CA7BB08 is 0 bytes after a block of size 64 alloc'd 
==6613==    at 0x1B9073EE: realloc (vg_replace_malloc.c:197) 
==6613==    by 0x1C30DEC6: gg_watch_fd (libgg.c:1037) 
==6613==    by 0x1C3109CF: ??? (gg.c:451) 
==6613==    by 0x8A449: ??? (gtkeventloop.c:61) 
==6613== 
==6613== Invalid read of size 4 
==6613==    at 0x1C310C1D: ??? (gg.c:533) 
==6613==    by 0x8A449: ??? (gtkeventloop.c:61) 
==6613==    by 0x42C4A75C: (within /usr/lib/libglib-2.0.so.0.600.2) 
==6613==    by 0x42C261E7: g_main_context_dispatch 
(in /usr/lib/libglib-2.0.so.0.600.2) 
==6613==  Address 0x1CA7BB0C is 4 bytes after a block of size 64 alloc'd 
==6613==    at 0x1B9073EE: realloc (vg_replace_malloc.c:197) 
==6613==    by 0x1C30DEC6: gg_watch_fd (libgg.c:1037) 
==6613==    by 0x1C3109CF: ??? (gg.c:451) 
==6613==    by 0x8A449: ??? (gtkeventloop.c:61) 
 
 
Comment 7 Stu Tomlinson 2005-03-02 07:08:24 EST
Thanks for doing this, I've committed a fix to upstream Gaim CVS which will be
included in the next release. This wasn't actually a regression, the bug has
been there since at least Sept 2001, I think you're correct that it's only
showing up now due to newer client/server protocol features not supported by Gaim.
Comment 8 Adam Szalkowski 2005-03-04 07:56:40 EST
Can this patch be included in the next build for rawhide?
Comment 9 Warren Togami 2005-03-04 14:39:08 EST
Give me the CVS URL of that exact change and maybe.
Comment 11 Warren Togami 2005-03-11 22:50:38 EST
Fixed in FC2, FC3, RHEL3 and RHEL4.

Note You need to log in before you can comment on or make changes to this bug.