From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050224 Firefox/1.0.1 Firearachnid/1.0.1-1.3.1 (Fedora/1.0.1-1.3.1 rebrand) Description of problem: Gaim aborts when certain contacts go online. gaimosd shows the notification message then gaim aborts. In fact I see this behaviour only with one contact. others seem to work. the length of the name is 18 chars (some string buffer overflow?). please see attached gdb output Version-Release number of selected component (if applicable): gaim-1.1.4-1 How reproducible: Sometimes Steps to Reproduce: 1. start gaim 2. wait until that gadu-gadu contact gets online 3. Actual Results: gaim aborting Additional info: gdb output: bar 1 bar 2 bar 3 foo 1 *** glibc detected *** /usr/bin/gaim: free(): invalid next size (fast): 0x801e6c80 *** Program received signal SIGABRT, Aborted. [Switching to Thread -1217911104 (LWP 4088)] 0xb78a9a14 in raise () from /lib/tls/i686/libc.so.6 (gdb) bt #0 0xb78a9a14 in raise () from /lib/tls/i686/libc.so.6 #1 0xb78aae50 in abort () from /lib/tls/i686/libc.so.6 #2 0xb78d7e6d in __libc_message () from /lib/tls/i686/libc.so.6 #3 0xb78dd853 in _int_free () from /lib/tls/i686/libc.so.6 #4 0xb78ddb93 in free () from /lib/tls/i686/libc.so.6 #5 0xb72e3161 in gg_free_event () from /usr/lib/gaim/libgg.so #6 0xb72e7a8b in gaim_init_plugin () from /usr/lib/gaim/libgg.so #7 0x8008a37a in gaim_gtkdialogs_remove_chat () from /usr/bin/gaim #8 0xb79f675d in g_vasprintf () from /usr/lib/libglib-2.0.so.0 #9 0xb79d21e8 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0 #10 0xb79d3a08 in g_main_context_acquire () from /usr/lib/libglib-2.0.so.0 #11 0xb79d3d2f in g_main_loop_run () from /usr/lib/libglib-2.0.so.0 #12 0xb7c7b2de in gtk_main () from /usr/lib/libgtk-x11-2.0.so.0 #13 0x800b984d in main () from /usr/bin/gaim
Is this a regression from previous gaim versions?
Yes, it seems to be a regression. Before gaim-1.1.3 I did not have this problem. A few minutes ago I got another segfault from malloc in some other function. Is there a package with debug info or do I have to rebuild? Now trying without gaimosd. Maybe the plugin causes some memory corruption. If the problem still occurs I'll fire up valgrind.
same behaviour without gaimosd. valgrind/memcheck say this (but without debug info :/ ): ==14622== Memcheck, a memory error detector for x86-linux. ==14622== Copyright (C) 2002-2004, and GNU GPL'd, by Julian Seward et al. ==14622== Using valgrind-2.2.0, a program supervision framework for x86-linux. ==14622== Copyright (C) 2000-2004, and GNU GPL'd, by Julian Seward et al. ==14622== For more details, rerun with: -v ==14622== ==14622== Syscall param write(buf) contains uninitialised or unaddressable byte(s) ==14622== at 0x433F237E: __write_nocancel (in /lib/tls/i486/libc-2.3.4.so) ==14622== by 0x434D8BA8: _X11TransWrite (in /usr/X11R6/lib/libX11.so.6.2) ==14622== by 0x434BD7E8: (within /usr/X11R6/lib/libX11.so.6.2) ==14622== by 0x434BD877: _XReply (in /usr/X11R6/lib/libX11.so.6.2) ==14622== Address 0x1B9A8E00 is 128 bytes inside a block of size 16384 alloc'd ==14622== at 0x1B907301: calloc (vg_replace_malloc.c:176) ==14622== by 0x434ADAF5: XOpenDisplay (in /usr/X11R6/lib/libX11.so.6.2) ==14622== by 0x42DD8393: gdk_display_open (in /usr/lib/libgdk-x11-2.0.so.0.600.2) ==14622== by 0x42DBA7E0: gdk_display_open_default_libgtk_only (in /usr/lib/libgdk-x11-2.0.so.0.600.2) ==14622== ==14622== Syscall param write(buf) contains uninitialised or unaddressable byte(s) ==14622== at 0x433F237E: __write_nocancel (in /lib/tls/i486/libc-2.3.4.so) ==14622== by 0x435955E9: _IceTransWrite (in /usr/X11R6/lib/libICE.so.6.3) ==14622== by 0x4358D50D: _IceWrite (in /usr/X11R6/lib/libICE.so.6.3) ==14622== by 0x4358D5DE: IceFlush (in /usr/X11R6/lib/libICE.so.6.3) ==14622== Address 0x1BCBFF64 is 12 bytes inside a block of size 1024 alloc'd ==14622== at 0x1B907301: calloc (vg_replace_malloc.c:176) ==14622== by 0x4358A789: IceOpenConnection (in /usr/X11R6/lib/libICE.so.6.3) ==14622== by 0x435A221E: SmcOpenConnection (in /usr/X11R6/lib/libSM.so.6.0) ==14622== by 0xBA1DF: session_init (in /usr/bin/gaim) ==14622== ==14622== Syscall param write(buf) contains uninitialised or unaddressable byte(s) ==14622== at 0x433F237E: __write_nocancel (in /lib/tls/i486/libc-2.3.4.so) ==14622== by 0x434D8BA8: _X11TransWrite (in /usr/X11R6/lib/libX11.so.6.2) ==14622== by 0x434BD7E8: (within /usr/X11R6/lib/libX11.so.6.2) ==14622== by 0x434BEA7F: _XEventsQueued (in /usr/X11R6/lib/libX11.so.6.2) ==14622== Address 0x1B9A8FC9 is 585 bytes inside a block of size 16384 alloc'd ==14622== at 0x1B907301: calloc (vg_replace_malloc.c:176) ==14622== by 0x434ADAF5: XOpenDisplay (in /usr/X11R6/lib/libX11.so.6.2) ==14622== by 0x42DD8393: gdk_display_open (in /usr/lib/libgdk-x11-2.0.so.0.600.2) ==14622== by 0x42DBA7E0: gdk_display_open_default_libgtk_only (in /usr/lib/libgdk-x11-2.0.so.0.600.2) ==14622== ==14622== Syscall param write(buf) contains uninitialised or unaddressable byte(s) ==14622== at 0x433F237E: __write_nocancel (in /lib/tls/i486/libc-2.3.4.so) ==14622== by 0x434D8BA8: _X11TransWrite (in /usr/X11R6/lib/libX11.so.6.2) ==14622== by 0x434BD7E8: (within /usr/X11R6/lib/libX11.so.6.2) ==14622== by 0x434A10E3: XFlush (in /usr/X11R6/lib/libX11.so.6.2) ==14622== Address 0x1B9A9F24 is 4516 bytes inside a block of size 16384 alloc'd ==14622== at 0x1B907301: calloc (vg_replace_malloc.c:176) ==14622== by 0x434ADAF5: XOpenDisplay (in /usr/X11R6/lib/libX11.so.6.2) ==14622== by 0x42DD8393: gdk_display_open (in /usr/lib/libgdk-x11-2.0.so.0.600.2) ==14622== by 0x42DBA7E0: gdk_display_open_default_libgtk_only (in /usr/lib/libgdk-x11-2.0.so.0.600.2) ==14622== ==14622== Syscall param writev(vector[...]) contains uninitialised or unaddressable byte(s) ==14622== at 0x433F8CAB: writev (in /lib/tls/i486/libc-2.3.4.so) ==14622== by 0x434D8945: (within /usr/X11R6/lib/libX11.so.6.2) ==14622== by 0x434D8BEA: _X11TransWritev (in /usr/X11R6/lib/libX11.so.6.2) ==14622== by 0x434BDEB5: _XSend (in /usr/X11R6/lib/libX11.so.6.2) ==14622== Address 0x1B9A9450 is 1744 bytes inside a block of size 16384 alloc'd ==14622== at 0x1B907301: calloc (vg_replace_malloc.c:176) ==14622== by 0x434ADAF5: XOpenDisplay (in /usr/X11R6/lib/libX11.so.6.2) ==14622== by 0x42DD8393: gdk_display_open (in /usr/lib/libgdk-x11-2.0.so.0.600.2) ==14622== by 0x42DBA7E0: gdk_display_open_default_libgtk_only (in /usr/lib/libgdk-x11-2.0.so.0.600.2) ==14622== ==14622== Use of uninitialised value of size 4 ==14622== at 0x4337F225: _itoa_word (in /lib/tls/i486/libc-2.3.4.so) ==14622== by 0x4338213E: _IO_vfprintf_internal (in /lib/tls/i486/libc-2.3.4.so) ==14622== by 0x4339D107: _IO_vasprintf (in /lib/tls/i486/libc-2.3.4.so) ==14622== by 0x42C4A644: g_vasprintf (in /usr/lib/libglib-2.0.so.0.600.2) ==14622== ==14622== Use of uninitialised value of size 4 ==14622== at 0x4337F23C: _itoa_word (in /lib/tls/i486/libc-2.3.4.so) ==14622== by 0x4338213E: _IO_vfprintf_internal (in /lib/tls/i486/libc-2.3.4.so) ==14622== by 0x4339D107: _IO_vasprintf (in /lib/tls/i486/libc-2.3.4.so) ==14622== by 0x42C4A644: g_vasprintf (in /usr/lib/libglib-2.0.so.0.600.2) ==14622== ==14622== Conditional jump or move depends on uninitialised value(s) ==14622== at 0x4338028F: _IO_vfprintf_internal (in /lib/tls/i486/libc-2.3.4.so) ==14622== by 0x4339D107: _IO_vasprintf (in /lib/tls/i486/libc-2.3.4.so) ==14622== by 0x42C4A644: g_vasprintf (in /usr/lib/libglib-2.0.so.0.600.2) ==14622== by 0x42C3C164: g_strdup_vprintf (in /usr/lib/libglib-2.0.so.0.600.2) ==14622== ==14622== Conditional jump or move depends on uninitialised value(s) ==14622== at 0x433802E8: _IO_vfprintf_internal (in /lib/tls/i486/libc-2.3.4.so) ==14622== by 0x4339D107: _IO_vasprintf (in /lib/tls/i486/libc-2.3.4.so) ==14622== by 0x42C4A644: g_vasprintf (in /usr/lib/libglib-2.0.so.0.600.2) ==14622== by 0x42C3C164: g_strdup_vprintf (in /usr/lib/libglib-2.0.so.0.600.2) ==14622== ==14622== Conditional jump or move depends on uninitialised value(s) ==14622== at 0x43380361: _IO_vfprintf_internal (in /lib/tls/i486/libc-2.3.4.so) ==14622== by 0x4339D107: _IO_vasprintf (in /lib/tls/i486/libc-2.3.4.so) ==14622== by 0x42C4A644: g_vasprintf (in /usr/lib/libglib-2.0.so.0.600.2) ==14622== by 0x42C3C164: g_strdup_vprintf (in /usr/lib/libglib-2.0.so.0.600.2) ==14622== ==14622== Syscall param write(buf) contains uninitialised or unaddressable byte(s) ==14622== at 0x433F237E: __write_nocancel (in /lib/tls/i486/libc-2.3.4.so) ==14622== by 0x1BEE9416: gg_send_packet (in /usr/lib/gaim/libgg.so) ==14622== by 0x1BEEA9A8: gg_watch_fd (in /usr/lib/gaim/libgg.so) ==14622== by 0x1BEEC78A: login_callback (in /usr/lib/gaim/libgg.so) ==14622== Address 0x1C2A8818 is 24 bytes inside a block of size 39 alloc'd ==14622== at 0x1B9073EE: realloc (vg_replace_malloc.c:197) ==14622== by 0x1BEE93A0: gg_send_packet (in /usr/lib/gaim/libgg.so) ==14622== by 0x1BEEA9A8: gg_watch_fd (in /usr/lib/gaim/libgg.so) ==14622== by 0x1BEEC78A: login_callback (in /usr/lib/gaim/libgg.so) ==14622== ==14622== Invalid read of size 4 ==14622== at 0x1BEEDF30: (within /usr/lib/gaim/libgg.so) ==14622== by 0x8A379: (within /usr/bin/gaim) ==14622== by 0x42C4A75C: (within /usr/lib/libglib-2.0.so.0.600.2) ==14622== by 0x42C261E7: g_main_context_dispatch (in /usr/lib/libglib-2.0.so.0.600.2) ==14622== Address 0x1C2B9BA8 is 0 bytes after a block of size 128 alloc'd ==14622== at 0x1B9073EE: realloc (vg_replace_malloc.c:197) ==14622== by 0x1BEEAEC6: gg_watch_fd (in /usr/lib/gaim/libgg.so) ==14622== by 0x1BEED9CF: (within /usr/lib/gaim/libgg.so) ==14622== by 0x8A379: (within /usr/bin/gaim) ==14622== ==14622== Invalid read of size 4 ==14622== at 0x1BEEDC1D: (within /usr/lib/gaim/libgg.so) ==14622== by 0x8A379: (within /usr/bin/gaim) ==14622== by 0x42C4A75C: (within /usr/lib/libglib-2.0.so.0.600.2) ==14622== by 0x42C261E7: g_main_context_dispatch (in /usr/lib/libglib-2.0.so.0.600.2) ==14622== Address 0x1C2B9BAC is 4 bytes after a block of size 128 alloc'd ==14622== at 0x1B9073EE: realloc (vg_replace_malloc.c:197) ==14622== by 0x1BEEAEC6: gg_watch_fd (in /usr/lib/gaim/libgg.so) ==14622== by 0x1BEED9CF: (within /usr/lib/gaim/libgg.so) ==14622== by 0x8A379: (within /usr/bin/gaim) ==14643== ==14643== ERROR SUMMARY: 14 errors from 2 contexts (suppressed: 275 from 2) ==14643== malloc/free: in use at exit: 867792 bytes in 13968 blocks. ==14643== malloc/free: 44854 allocs, 30886 frees, 3695421 bytes allocated. ==14643== For a detailed leak analysis, rerun with: --leak-check=yes ==14643== For counts of detected errors, rerun with: -v ==14646== ==14646== ERROR SUMMARY: 15 errors from 2 contexts (suppressed: 279 from 2) ==14646== malloc/free: in use at exit: 2039051 bytes in 33292 blocks. ==14646== malloc/free: 142598 allocs, 109306 frees, 29172154 bytes allocated. ==14646== For a detailed leak analysis, rerun with: --leak-check=yes ==14646== For counts of detected errors, rerun with: -v ==14622== ==14622== Invalid write of size 1 ==14622== at 0x1B906632: memcpy (mac_replace_strmem.c:298) ==14622== by 0x1BEEAA46: gg_watch_fd (in /usr/lib/gaim/libgg.so) ==14622== by 0x1BEED9CF: (within /usr/lib/gaim/libgg.so) ==14622== by 0x8A379: (within /usr/bin/gaim) ==14622== Address 0x1C35DACC is 0 bytes after a block of size 36 alloc'd ==14622== at 0x1B906984: malloc (vg_replace_malloc.c:131) ==14622== by 0x1BEEA126: gg_watch_fd (in /usr/lib/gaim/libgg.so) ==14622== by 0x1BEED9CF: (within /usr/lib/gaim/libgg.so) ==14622== by 0x8A379: (within /usr/bin/gaim) ==14622== ==14622== Invalid write of size 1 ==14622== at 0x1B906638: memcpy (mac_replace_strmem.c:299) ==14622== by 0x1BEEAA46: gg_watch_fd (in /usr/lib/gaim/libgg.so) ==14622== by 0x1BEED9CF: (within /usr/lib/gaim/libgg.so) ==14622== by 0x8A379: (within /usr/bin/gaim) ==14622== Address 0x1C35DACD is 1 bytes after a block of size 36 alloc'd ==14622== at 0x1B906984: malloc (vg_replace_malloc.c:131) ==14622== by 0x1BEEA126: gg_watch_fd (in /usr/lib/gaim/libgg.so) ==14622== by 0x1BEED9CF: (within /usr/lib/gaim/libgg.so) ==14622== by 0x8A379: (within /usr/bin/gaim) ==14622== ==14622== Invalid write of size 1 ==14622== at 0x1B90663E: memcpy (mac_replace_strmem.c:300) ==14622== by 0x1BEEAA46: gg_watch_fd (in /usr/lib/gaim/libgg.so) ==14622== by 0x1BEED9CF: (within /usr/lib/gaim/libgg.so) ==14622== by 0x8A379: (within /usr/bin/gaim) ==14622== Address 0x1C35DACE is 2 bytes after a block of size 36 alloc'd ==14622== at 0x1B906984: malloc (vg_replace_malloc.c:131) ==14622== by 0x1BEEA126: gg_watch_fd (in /usr/lib/gaim/libgg.so) ==14622== by 0x1BEED9CF: (within /usr/lib/gaim/libgg.so) ==14622== by 0x8A379: (within /usr/bin/gaim) ==14622== ==14622== Invalid write of size 1 ==14622== at 0x1B906644: memcpy (mac_replace_strmem.c:301) ==14622== by 0x1BEEAA46: gg_watch_fd (in /usr/lib/gaim/libgg.so) ==14622== by 0x1BEED9CF: (within /usr/lib/gaim/libgg.so) ==14622== by 0x8A379: (within /usr/bin/gaim) ==14622== Address 0x1C35DACF is 3 bytes after a block of size 36 alloc'd ==14622== at 0x1B906984: malloc (vg_replace_malloc.c:131) ==14622== by 0x1BEEA126: gg_watch_fd (in /usr/lib/gaim/libgg.so) ==14622== by 0x1BEED9CF: (within /usr/lib/gaim/libgg.so) ==14622== by 0x8A379: (within /usr/bin/gaim) ==14622== ==14622== Invalid write of size 1 ==14622== at 0x1B90665A: memcpy (mac_replace_strmem.c:305) ==14622== by 0x1BEEAA46: gg_watch_fd (in /usr/lib/gaim/libgg.so) ==14622== by 0x1BEED9CF: (within /usr/lib/gaim/libgg.so) ==14622== by 0x8A379: (within /usr/bin/gaim) ==14622== Address 0x1C35DAE4 is not stack'd, malloc'd or (recently) free'd valgrind: vg_memory.c:839 (vgPlain_init_shadow_range): Assertion `vgPlain_defined_init_shadow_page()' failed. ==14622== at 0xB002C005: vgPlain_skin_assert_fail (vg_mylibc.c:1137) ==14622== by 0xB002C004: assert_fail (vg_mylibc.c:1133) ==14622== by 0xB002C042: vgPlain_core_assert_fail (vg_mylibc.c:1144) ==14622== by 0xB002A24A: vgPlain_init_shadow_range (vg_memory.c:839) sched status: Thread 1: status = Runnable, associated_mx = 0x0, associated_cv = 0x0 ==14622== at 0x1B906EA5: free (vg_replace_malloc.c:153) ==14622== by 0x42C2C410: g_free (in /usr/lib/libglib-2.0.so.0.600.2) ==14622== by 0x1BDBF90A: (within /usr/lib/gtk-2.0/2.4.0/loaders/libpixbufloader-png.so) ==14622== by 0x437B6BE9: png_free (in /usr/lib/libpng12.so.0.1.2.8) Note: see also the FAQ.txt in the source distribution. It contains workarounds to several common problems. If that doesn't help, please report this bug to: valgrind.kde.org In the bug report, send all the above text, the valgrind version, and what Linux distro you are using. Thanks.
the bug is definitely in the gadu-gadu module, when I disable it there are no more aborts/segfaults.
I compared the gadu-gadu code between 1.1.3 and 1.1.4, there was exactly 1 line changed between these versions, and it could not cause this crash. @@ -480,8 +480,7 @@ static void main_callback(gpointer data, imsg = charset_convert(e->event.msg.message, "CP1250", "UTF-8"); gaim_str_strip_cr(imsg); jmsg = gaim_escape_html(imsg); - /* e->event.msg.time - we don't know what this time is for */ - serv_got_im(gc, user, jmsg, 0, time(NULL)); + serv_got_im(gc, user, jmsg, 0, e->event.msg.time); g_free(imsg); g_free(jmsg); } shows the changed line. nothing to do with this crash. this crash however does look like https://sourceforge.net/tracker/index.php?func=detail&aid=999944&group_id=235&atid=100235 which appears to have been closed for lack of responce from the submitter. to be able to track this down, esp. since its very hard to use a protocol in which the documentation is entirely polish, the users almost entirely polish-speaking, and the website for which is also polish, we would need the output of valgrind after having installed the debug info rpm. at one point we had a developer regularly submitting patches and maintaining this code. he has since left the project and the gadu-gadu protocol has not progressed since then except by the odd patch by users.
Maybe the bug was already in version 1.1.3 which did not work at all on full rawhide systems. I think 1.1.2 was OK, or maybe just something in the server/client protocols changed? In fact it is only one user who causes the overflow. All others (got just one other gg contact) are fine (no valgrind output after status change). Installed the debug package and got the following interesting lines of valgrind output: gg: ** gg_watch_fd(...); gg: == GG_STATE_CONNECTED gg: ** gg_watch_fd_connected(...); gg: ** gg_recv_packet(...); gg: -- header recv(..., 8) = 8 gg: -- body recv(..., 41) = 41 gg: >> received packet (type=02):gg: 02gg: 00gg: 00gg: 00gg: 29gg: 00gg: 00gg: 00gg: d1gg: 3agg: 11gg: 00gg: 15gg: 00gg: 00gg: 00gg: 44gg: 61gg: 61gg: 62gg: 20gg: 2dgg: 20gg: 52gg: 65gg: 64gg: 65gg: 6dgg: 70gg: 74gg: 69gg: 6fgg: 6egg: 20gg: 53gg: 6fgg: 6egg: 67gg: 20gg: 28gg: 44gg: 61gg: 61gg: 62gg: 20gg: 49gg: 49gg: 49gg: 29gg: gg: -- received a status change ==6613== ==6613== Invalid write of size 1 ==6613== at 0x1B906632: memcpy (mac_replace_strmem.c:298) ==6613== by 0x1C30DA46: gg_watch_fd (string3.h:52) ==6613== by 0x1C3109CF: ??? (gg.c:451) ==6613== by 0x8A449: ??? (gtkeventloop.c:61) ==6613== Address 0x1CBF94A4 is 0 bytes after a block of size 36 alloc'd ==6613== at 0x1B906984: malloc (vg_replace_malloc.c:131) ==6613== by 0x1C30D126: gg_watch_fd (libgg.c:1217) ==6613== by 0x1C3109CF: ??? (gg.c:451) ==6613== by 0x8A449: ??? (gtkeventloop.c:61) ==6613== ==6613== Invalid write of size 1 ==6613== at 0x1B906638: memcpy (mac_replace_strmem.c:299) ==6613== by 0x1C30DA46: gg_watch_fd (string3.h:52) ==6613== by 0x1C3109CF: ??? (gg.c:451) ==6613== by 0x8A449: ??? (gtkeventloop.c:61) ==6613== Address 0x1CBF94A5 is 1 bytes after a block of size 36 alloc'd ==6613== at 0x1B906984: malloc (vg_replace_malloc.c:131) ==6613== by 0x1C30D126: gg_watch_fd (libgg.c:1217) ==6613== by 0x1C3109CF: ??? (gg.c:451) ==6613== by 0x8A449: ??? (gtkeventloop.c:61) ==6613== ==6613== Invalid write of size 1 ==6613== at 0x1B90663E: memcpy (mac_replace_strmem.c:300) ==6613== by 0x1C30DA46: gg_watch_fd (string3.h:52) ==6613== by 0x1C3109CF: ??? (gg.c:451) ==6613== by 0x8A449: ??? (gtkeventloop.c:61) ==6613== Address 0x1CBF94A6 is 2 bytes after a block of size 36 alloc'd ==6613== at 0x1B906984: malloc (vg_replace_malloc.c:131) ==6613== by 0x1C30D126: gg_watch_fd (libgg.c:1217) ==6613== by 0x1C3109CF: ??? (gg.c:451) ==6613== by 0x8A449: ??? (gtkeventloop.c:61) ==6613== ==6613== Invalid write of size 1 ==6613== at 0x1B906644: memcpy (mac_replace_strmem.c:301) ==6613== by 0x1C30DA46: gg_watch_fd (string3.h:52) ==6613== by 0x1C3109CF: ??? (gg.c:451) ==6613== by 0x8A449: ??? (gtkeventloop.c:61) ==6613== Address 0x1CBF94A7 is 3 bytes after a block of size 36 alloc'd ==6613== at 0x1B906984: malloc (vg_replace_malloc.c:131) ==6613== by 0x1C30D126: gg_watch_fd (libgg.c:1217) ==6613== by 0x1C3109CF: ??? (gg.c:451) ==6613== by 0x8A449: ??? (gtkeventloop.c:61) ==6613== ==6613== Invalid write of size 1 ==6613== at 0x1B90665A: memcpy (mac_replace_strmem.c:305) ==6613== by 0x1C30DA46: gg_watch_fd (string3.h:52) ==6613== by 0x1C3109CF: ??? (gg.c:451) ==6613== by 0x8A449: ??? (gtkeventloop.c:61) ==6613== Address 0x1CBF94AC is 8 bytes after a block of size 36 alloc'd ==6613== at 0x1B906984: malloc (vg_replace_malloc.c:131) ==6613== by 0x1C30D126: gg_watch_fd (libgg.c:1217) ==6613== by 0x1C3109CF: ??? (gg.c:451) ==6613== by 0x8A449: ??? (gtkeventloop.c:61) this leads me to libgg.c:1058 case GG_STATUS: { struct gg_status *s = (void *)p; gg_debug(GG_DEBUG_MISC, "-- received a status change\n"); if (h->length >= sizeof(*s)) { e->type = GG_EVENT_STATUS; -> memcpy(&e->event.status, p, h->length); e->event.status.uin = fix32(e->event.status.uin); e->event.status.status = fix32 (e->event.status.status); } break; } and indeed, why are we overwriting event.status if h->length is LARGER than sizeof(event.status)? IMHO this line is causing the crash. there is also another block of output which seems rather harmless: g: main_callback enter: begin gg: ** gg_watch_fd(...); gg: == GG_STATE_CONNECTED gg: ** gg_watch_fd_connected(...); gg: ** gg_recv_packet(...); gg: -- header recv(..., 8) = 8 gg: -- body recv(..., 36) = 36 gg: >> received packet (type=11): **removed** gg: // gg_watch_fd_connected() received a notify reply ==6613== ==6613== Invalid read of size 4 ==6613== at 0x1C310F30: ??? (gg.c:522) ==6613== by 0x8A449: ??? (gtkeventloop.c:61) ==6613== by 0x42C4A75C: (within /usr/lib/libglib-2.0.so.0.600.2) ==6613== by 0x42C261E7: g_main_context_dispatch (in /usr/lib/libglib-2.0.so.0.600.2) ==6613== Address 0x1CA7BB08 is 0 bytes after a block of size 64 alloc'd ==6613== at 0x1B9073EE: realloc (vg_replace_malloc.c:197) ==6613== by 0x1C30DEC6: gg_watch_fd (libgg.c:1037) ==6613== by 0x1C3109CF: ??? (gg.c:451) ==6613== by 0x8A449: ??? (gtkeventloop.c:61) ==6613== ==6613== Invalid read of size 4 ==6613== at 0x1C310C1D: ??? (gg.c:533) ==6613== by 0x8A449: ??? (gtkeventloop.c:61) ==6613== by 0x42C4A75C: (within /usr/lib/libglib-2.0.so.0.600.2) ==6613== by 0x42C261E7: g_main_context_dispatch (in /usr/lib/libglib-2.0.so.0.600.2) ==6613== Address 0x1CA7BB0C is 4 bytes after a block of size 64 alloc'd ==6613== at 0x1B9073EE: realloc (vg_replace_malloc.c:197) ==6613== by 0x1C30DEC6: gg_watch_fd (libgg.c:1037) ==6613== by 0x1C3109CF: ??? (gg.c:451) ==6613== by 0x8A449: ??? (gtkeventloop.c:61)
Thanks for doing this, I've committed a fix to upstream Gaim CVS which will be included in the next release. This wasn't actually a regression, the bug has been there since at least Sept 2001, I think you're correct that it's only showing up now due to newer client/server protocol features not supported by Gaim.
Can this patch be included in the next build for rawhide?
Give me the CVS URL of that exact change and maybe.
This is the patch: http://cvs.sourceforge.net/viewcvs.py/gaim/gaim/src/protocols/gg/libgg.c?r1=1.21&r2=1.21.2.1&diff_format=u
Fixed in FC2, FC3, RHEL3 and RHEL4.