[gsettings] Invalid write of size 4 in readOption
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Compiz |
Fix Released
|
High
|
Sam Spilsbury | ||
compiz (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
==9194== Invalid write of size 4
==9194== at 0x4BE98E5: ??? (in /lib/i386-
==9194== by 0x4BEA6CA: g_variant_iter_loop (in /lib/i386-
==9194== by 0x4086C66: readOption (gsettings.c:336)
==9194== by 0x4086FB9: readSetting (gsettings.c:1077)
==9194== by 0x405BCB4: ccsReadPluginSe
==9194== by 0x4059D40: ccsReadPluginSe
==9194== by 0x404DB32: ccsLoadPluginSe
==9194== by 0x40570B6: ccsGetPluginSet
==9194== by 0x40BB4D2: (below main) (libc-start.c:226)
==9194== Address 0x63cac68 is 0 bytes after a block of size 0 alloc'd
==9194== at 0x402CE68: malloc (in /usr/lib/
==9194== by 0x4086C38: readOption (gsettings.c:328)
==9194== by 0x4086FB9: readSetting (gsettings.c:1077)
==9194== by 0x405BCB4: ccsReadPluginSe
==9194== by 0x4059D40: ccsReadPluginSe
==9194== by 0x404DB32: ccsLoadPluginSe
==9194== by 0x40570B6: ccsGetPluginSet
==9194== by 0x40BB4D2: (below main) (libc-start.c:226)
==9194==
Offending code:
Bool *array = malloc (nItems * sizeof (Bool));
Bool *arrayCounter = array;
if (!array)
break;
/* Reads each item from the variant into the position pointed
* at by arrayCounter */
while (g_variant_
*arrayCounter++;
list = ccsGetValueList
free (array);
It isn't valid to read directly into arrayCounter as its assumed to be initialized memory in use by the iter, and will be freed.
Related branches
- Daniel van Vugt: Approve
-
Diff: 497 lines (+120/-96)1 file modifiedcompizconfig/gsettings/src/gsettings.c (+120/-96)
- Daniel van Vugt: Approve
-
Diff: 497 lines (+120/-96)1 file modifiedcompizconfig/gsettings/src/gsettings.c (+120/-96)
Changed in compiz: | |
status: | New → In Progress |
importance: | Undecided → Medium |
assignee: | nobody → Sam Spilsbury (smspillaz) |
milestone: | none → 0.9.8.0 |
tags: | added: gsettings |
Changed in compiz: | |
importance: | Medium → High |
Changed in compiz: | |
status: | Fix Committed → Fix Released |
Fix committed into lp:compiz at revision 3267