Version-Release number of selected component: xclip-0.13-12.git9344507.fc34 Additional info: reporter: libreport-2.14.0 backtrace_rating: 4 cgroup: 0::/user.slice/user-1000.slice/session-4.scope cmdline: xclip -o crash_function: doOut executable: /usr/bin/xclip journald_cursor: s=bbb366bf067646d1bc78eb643202b91b;i=8e36;b=a26f9653f4594f36a101721ee9ea5b69;m=8c329d2a1c;t=5bf70bd6339fb;x=dc4d7a8494370ac8 kernel: 5.11.10-300.fc34.x86_64 rootdir: / runlevel: N 5 type: CCpp uid: 1000 Truncated backtrace: Thread no. 1 (1 frames) #1 doOut at /usr/src/debug/xclip-0.13-12.git9344507.fc34.x86_64/xclip.c:599
Created attachment 1770150 [details] File: backtrace
Created attachment 1770151 [details] File: core_backtrace
Created attachment 1770152 [details] File: cpuinfo
Created attachment 1770153 [details] File: dso_list
Created attachment 1770154 [details] File: environ
Created attachment 1770155 [details] File: exploitable
Created attachment 1770156 [details] File: limits
Created attachment 1770157 [details] File: maps
Created attachment 1770158 [details] File: mountinfo
Created attachment 1770159 [details] File: open_fds
Created attachment 1770160 [details] File: proc_pid_status
*** Bug 1953239 has been marked as a duplicate of this bug. ***
*** Bug 1957717 has been marked as a duplicate of this bug. ***
Similar problem has been detected: Crashed while being used by the 'pass' command to copy a password to the clipboard. It seems to happen quite often. reporter: libreport-2.14.0 backtrace_rating: 4 cgroup: 0::/user.slice/user-1000.slice/user/app.slice/app-org.gnome.Terminal.slice/vte-spawn-5b97fc85-6dae-494a-bad8-09f2730a0f4f.scope cmdline: xclip -o -selection clipboard crash_function: doOut executable: /usr/bin/xclip journald_cursor: s=bf0f7f25f909437689c023348b4cad43;i=445d;b=2a9a594d9bee4e8c9c7a23330907a5a7;m=13987a66e;t=5c1c01daa3a69;x=70d90cadffd0c2d6 kernel: 5.11.17-300.fc34.x86_64 package: xclip-0.13-13.git11cba61.fc34 reason: xclip killed by SIGSEGV rootdir: / runlevel: N 5 type: CCpp uid: 1000
With debuginfo installed, gdb says: #0 0x00007fb6d4d22789 in __GI___libc_free (mem=0x38000000380) at malloc.c:3288 #1 0x00005612cd95459d in doOut (win=10485761) at /usr/src/debug/xclip-0.13-13.git11cba61.fc34.x86_64/xclip.c:748 #2 main (argc=<optimized out>, argv=<optimized out>) at /usr/src/debug/xclip-0.13-13.git11cba61.fc34.x86_64/xclip.c:974 so a bad pointer has been passed to free(). Line 748 of xclip.c is: free(sel_buf); The question is how sel_buf could get a bad pointer. On line 717, sel_buf is declared but not initialized, so it contains random stack bytes. We take the "else" branch on line 724, so sel_buf remains uninitialized. A pointer to sel_buf is passed to xcout() on line 731. Now look at the code for xcout (xclib.c, line 141). The value of *context is XCLIB_XCOUT_NONE and the value of *len is 0, so xcout does not change the value of *txt. Now, back in doOut(), we still have random stack bytes in sel_buf, but we pass those random stack bytes to free() on line 748 of xclip.c. Fix: initialize sel_buf to NULL, and change "free(sel_buf)" to "if (sel_buf != NULL) free(sel_buf);".
The xcmemzero() call on line 746 of xclip.c should also be guarded with "if (sel_buf != NULL)".
Looks correct to me, thank you Jerry. Would you like to make a PR for this to go upstream? If not, I will do it on your behalf.
FEDORA-2021-cdd942c6d4 has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-cdd942c6d4
Here's the PR: https://github.com/astrand/xclip/pull/121
FEDORA-2021-cdd942c6d4 has been pushed to the Fedora 34 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-cdd942c6d4` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-cdd942c6d4 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2021-cdd942c6d4 has been pushed to the Fedora 34 stable repository. If problem still persists, please make note of it in this bug report.