251463 – crash when using gaim-irchelper after update to pidgin

Bug 251463 - crash when using gaim-irchelper after update to pidgin

Summary: crash when using gaim-irchelper after update to pidgin

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 4
Classification:	Red Hat
Component:	pidgin
Sub Component:
Version:	4.5
Hardware:	i386
OS:	Linux
Priority:	medium
Severity:	high
Target Milestone:	---
Target Release:	---
Assignee:	Warren Togami
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2007-08-09 08:38 UTC by Michal Slonina
Modified:	2007-11-17 01:14 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2007-08-09 13:51:45 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Michal Slonina 2007-08-09 08:38:12 UTC

Description of problem:
pidgin crashes randomly with gaim-irchelper in use

Version-Release number of selected component (if applicable):
pidgin-1.5.1-1.el4.i386
gaim-irchelper-0.12-1.2.el4.rf.i386

How reproducible:
always, unavoidable crash :)

Steps to Reproduce:
log on to irc, wait for SIGSEGV to appear
  
Actual results:
crash

Expected results:
no crash

Additional info:
Here is the backtrace, looks like the stack got smashed at the end, might be a
security issue too. Valgrind trace follows.

#0  0x00b507a2 in _dl_sysinfo_int80 () from /lib/ld-linux.so.2
(gdb) bt
#0  0x00b507a2 in _dl_sysinfo_int80 () from /lib/ld-linux.so.2
#1  0x00b917a5 in raise () from /lib/tls/libc.so.6
#2  0x00b93209 in abort () from /lib/tls/libc.so.6
#3  0x080f8124 in sighandler ()
#4  <signal handler called>
#5  0x0051ac65 in g_ascii_strcasecmp () from /usr/lib/libglib-2.0.so.0
#6  0x0085fe2f in gf_event_find_for_notification (
    type=0x38363823 <Address 0x38363823 out of bounds>) at gf_event.c:104
#7  0x00860378 in gf_event_show_notification (
    n_type=0x38363823 <Address 0x38363823 out of bounds>) at gf_event.c:179
#8  0x0086068d in gf_event_should_show (
    notification=0x38363823 <Address 0x38363823 out of bounds>,
    account=0x963b358) at gf_event.c:305
#9  0x008606e5 in gf_event_common (
    n_type=0x38363823 <Address 0x38363823 out of bounds>, account=0x963b358,
    buddy=0x0, conv=0x997b708, target=0x99777d8 "kentb", message=0x0,
    flags=GAIM_CBFLAGS_NONE, components=0x0, extra=0x0) at gf_event.c:352
#10 0x00860c01 in gf_event_chat_join (conv=0x997b708, name=0x99777d8 "kentb",
    flags=115, new_arrival=0x87868d, data=0x38363823) at gf_event.c:572
#11 0x0809360a in gaim_signal_emit_vargs ()
#12 0x080936d2 in gaim_signal_emit ()
#13 0x08078695 in gaim_conv_chat_add_user ()
#14 0x0091dc5e in irc_msg_join () from /usr/lib/gaim/libirc.so
---Type <return> to continue, or q <return> to quit---
#15 0x0091a364 in irc_parse_msg () from /usr/lib/gaim/libirc.so
#16 0x0091fb1b in ?? () from /usr/lib/gaim/libirc.so
#17 0x099bbcb8 in ?? ()
#18 0x099b38e0 in ?? ()
#19 0x00000000 in ?? ()


Here is a valgrind run for a different test case:

==17936== Memcheck, a memory error detector.
==17936== Copyright (C) 2002-2005, and GNU GPL'd, by Julian Seward et al.
==17936== Using LibVEX rev 1575, a library for dynamic binary translation.
==17936== Copyright (C) 2004-2005, and GNU GPL'd, by OpenWorks LLP.
==17936== Using valgrind-3.1.1, a dynamic binary instrumentation framework.
==17936== Copyright (C) 2000-2005, and GNU GPL'd, by Julian Seward et al.
==17936== For more details, rerun with: -v
==17936== 
==17936== Conditional jump or move depends on uninitialised value(s)
==17936==    at 0x4A9F6D2: gf_event_common (gf_event.c:349)
==17936==    by 0x4A9FC00: gf_event_chat_join (gf_event.c:572)
==17936==    by 0x8093609: gaim_signal_emit_vargs (in /usr/bin/pidgin)
==17936==    by 0x80936D1: gaim_signal_emit (in /usr/bin/pidgin)
==17936==    by 0x8078858: gaim_conv_chat_add_users (in /usr/bin/pidgin)
==17936==    by 0x4C13F13: irc_msg_names (in /usr/lib/gaim/libirc.so)
==17936==    by 0x4C11363: irc_parse_msg (in /usr/lib/gaim/libirc.so)
==17936==    by 0x4C0F75C: (within /usr/lib/gaim/libirc.so)
==17936==    by 0x80CC624: (within /usr/bin/pidgin)
==17936==    by 0x1B5906: (within /usr/lib/libglib-2.0.so.0.400.7)
==17936==    by 0x19174A: g_main_context_dispatch (in
/usr/lib/libglib-2.0.so.0.400.7)
==17936==    by 0x1931D1: (within /usr/lib/libglib-2.0.so.0.400.7)
==17936== 
==17936== Conditional jump or move depends on uninitialised value(s)
==17936==    at 0x4A9F36E: gf_event_show_notification (gf_event.c:177)
==17936==    by 0x4A9F68C: gf_event_should_show (gf_event.c:305)
==17936==    by 0x4A9F6E4: gf_event_common (gf_event.c:352)
==17936==    by 0x4A9FC00: gf_event_chat_join (gf_event.c:572)
==17936==    by 0x8093609: gaim_signal_emit_vargs (in /usr/bin/pidgin)
==17936==    by 0x80936D1: gaim_signal_emit (in /usr/bin/pidgin)
==17936==    by 0x8078858: gaim_conv_chat_add_users (in /usr/bin/pidgin)
==17936==    by 0x4C13F13: irc_msg_names (in /usr/lib/gaim/libirc.so)
==17936==    by 0x4C11363: irc_parse_msg (in /usr/lib/gaim/libirc.so)
==17936==    by 0x4C0F75C: (within /usr/lib/gaim/libirc.so)
==17936==    by 0x80CC624: (within /usr/bin/pidgin)
==17936==    by 0x1B5906: (within /usr/lib/libglib-2.0.so.0.400.7)
==17936== 
==17936== Conditional jump or move depends on uninitialised value(s)
==17936==    at 0x1A7C58: g_ascii_strcasecmp (in /usr/lib/libglib-2.0.so.0.400.7)
==17936==    by 0x4A9EE2E: gf_event_find_for_notification (gf_event.c:104)
==17936==    by 0x4A9F377: gf_event_show_notification (gf_event.c:179)
==17936==    by 0x4A9F68C: gf_event_should_show (gf_event.c:305)
==17936==    by 0x4A9F6E4: gf_event_common (gf_event.c:352)
==17936==    by 0x4A9FC00: gf_event_chat_join (gf_event.c:572)
==17936==    by 0x8093609: gaim_signal_emit_vargs (in /usr/bin/pidgin)
==17936==    by 0x80936D1: gaim_signal_emit (in /usr/bin/pidgin)
==17936==    by 0x8078858: gaim_conv_chat_add_users (in /usr/bin/pidgin)
==17936==    by 0x4C13F13: irc_msg_names (in /usr/lib/gaim/libirc.so)
==17936==    by 0x4C11363: irc_parse_msg (in /usr/lib/gaim/libirc.so)
==17936==    by 0x4C0F75C: (within /usr/lib/gaim/libirc.so)
==17936== 
==17936== Use of uninitialised value of size 4
==17936==    at 0x1A7C65: g_ascii_strcasecmp (in /usr/lib/libglib-2.0.so.0.400.7)
==17936==    by 0x4A9EE2E: gf_event_find_for_notification (gf_event.c:104)
==17936==    by 0x4A9F377: gf_event_show_notification (gf_event.c:179)
==17936==    by 0x4A9F68C: gf_event_should_show (gf_event.c:305)
==17936==    by 0x4A9F6E4: gf_event_common (gf_event.c:352)
==17936==    by 0x4A9FC00: gf_event_chat_join (gf_event.c:572)
==17936==    by 0x8093609: gaim_signal_emit_vargs (in /usr/bin/pidgin)
==17936==    by 0x80936D1: gaim_signal_emit (in /usr/bin/pidgin)
==17936==    by 0x8078858: gaim_conv_chat_add_users (in /usr/bin/pidgin)
==17936==    by 0x4C13F13: irc_msg_names (in /usr/lib/gaim/libirc.so)
==17936==    by 0x4C11363: irc_parse_msg (in /usr/lib/gaim/libirc.so)
==17936==    by 0x4C0F75C: (within /usr/lib/gaim/libirc.so)
==18061== 
==18061== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 429 from 5)
==18061== malloc/free: in use at exit: 2,075,229 bytes in 36,901 blocks.
==18061== malloc/free: 169,543 allocs, 132,642 frees, 12,298,375 bytes allocated.
==18061== For counts of detected errors, rerun with: -v
==18061== searching for pointers to 36,901 not-freed blocks.
==18061== checked 3,678,128 bytes.
==18061== 
==18061== LEAK SUMMARY:
==18061==    definitely lost: 315 bytes in 11 blocks.
==18061==      possibly lost: 1,209 bytes in 38 blocks.
==18061==    still reachable: 2,073,705 bytes in 36,852 blocks.
==18061==         suppressed: 0 bytes in 0 blocks.
==18061== Use --leak-check=full to see details of leaked memory.
==17936== 
==17936== Invalid read of size 1
==17936==    at 0x1A7C65: g_ascii_strcasecmp (in /usr/lib/libglib-2.0.so.0.400.7)
==17936==    by 0x4A9EE2E: gf_event_find_for_notification (gf_event.c:104)
==17936==    by 0x4A9F377: gf_event_show_notification (gf_event.c:179)
==17936==    by 0x4A9F68C: gf_event_should_show (gf_event.c:305)
==17936==    by 0x4A9F6E4: gf_event_common (gf_event.c:352)
==17936==    by 0x4A9FC00: gf_event_chat_join (gf_event.c:572)
==17936==    by 0x8093609: gaim_signal_emit_vargs (in /usr/bin/pidgin)
==17936==    by 0x80936D1: gaim_signal_emit (in /usr/bin/pidgin)
==17936==    by 0x8078694: gaim_conv_chat_add_user (in /usr/bin/pidgin)
==17936==    by 0x4C14C5D: irc_msg_join (in /usr/lib/gaim/libirc.so)
==17936==    by 0x4C11363: irc_parse_msg (in /usr/lib/gaim/libirc.so)
==17936==    by 0x4C0F75C: (within /usr/lib/gaim/libirc.so)
==17936==  Address 0x38363823 is not stack'd, malloc'd or (recently) free'd
Pidgin has segfaulted and attempted to dump a core file.

Looks like both backtraces cover the same problem, even though they are from
different runs, and application crashed in different stages.

Let me know if you would like to have a look at the core file.

Comment 1 Stu Tomlinson 2007-08-09 13:16:41 UTC

This is crashing in guifications, not pidgin or gaim-irchelper. What version of
guifications are you using and where did you get it from? (I don't think it's
included in RHEL4 so maybe this bugzilla is not the best place for this report).

Comment 2 Michal Slonina 2007-08-09 13:51:45 UTC

I'm very sorry, i didn't notice it is not gaim related as i'm not that familliar
with gaim.

The user I was troubleshooting had some external repo added from which he
pulled gaim-guifications-2.13-0.beta2.el4.rf.

I'm closing this bug, thanks for your expertise and sorry for bothering.

Note You need to log in before you can comment on or make changes to this bug.