! Please note that this is a snapshot of our old Bugzilla server, which is read only since May 29, 2020. Please go to gitlab.xfce.org for our new server !
cpugraph plugin crashes when constructing properties dialog
Status:
RESOLVED: FIXED
Product:
Xfce4-cpugraph-plugin
Component:
General

Comments

Description Guido Berhoerster 2011-02-07 00:23:32 CET
The cpugraph plugin crashes when constructing the properties dialog. This happens with xfce4-panel 4.8.1, libxfcegui4 4.8.0 and libxfce4util 4.8.1.

Backtrace:

#0  0xffffe424 in __kernel_vsyscall ()
No symbol table info available.
#1  0xb6c8f8bf in raise () from /lib/libc.so.6
No symbol table info available.
#2  0xb6c91200 in abort () from /lib/libc.so.6
No symbol table info available.
#3  0xb6ccbdb7 in __libc_message () from /lib/libc.so.6
No symbol table info available.
#4  0xb6cd1ddb in malloc_printerr () from /lib/libc.so.6
No symbol table info available.
#5  0xb6cd6929 in free () from /lib/libc.so.6
No symbol table info available.
#6  0xb6e4c696 in g_free (mem=0x82dfa28) at gmem.c:263
No locals.
#7  0x0804e79e in setup_tracked_core_option (vbox=0x80b01c8, sg=0x80d8180, base=0x80ae968) at properties.c:216
        nb_items = 2
        items = 0xbfa71950
        i = <value optimized out>
#8  0x0804eff5 in create_options (plugin=0x80823b0, base=0x80ae968) at properties.c:94
        dlg = 0x81c9888
        vbox = 0x80b01c8
        vbox2 = <value optimized out>
        label = <value optimized out>
        sg = 0x80d8180
        Notebook = <value optimized out>
#9  0xb6f3548c in g_cclosure_marshal_VOID__VOID (closure=0x80b8be8, return_value=0x0, n_param_values=1, param_values=0x810ab48, invocation_hint=0xbfa71b70, marshal_data=0x0) at gmarshal.c:79
        callback = 0x804ee30 <create_options>
        cc = 0x80b8be8
        data1 = 0x80823b0
        data2 = <value optimized out>
        __PRETTY_FUNCTION__ = "g_cclosure_marshal_VOID__VOID"
#10 0xb6f179e4 in g_closure_invoke (closure=0x80b8be8, return_value=0x0, n_param_values=1, param_values=0x810ab48, invocation_hint=0xbfa71b70) at gclosure.c:767
        marshal = 0xb6f35400 <g_cclosure_marshal_VOID__VOID>
        marshal_data = 0x0
        in_marshal = 134928128
        __PRETTY_FUNCTION__ = "g_closure_invoke"
#11 0xb6f2b674 in signal_emit_unlocked_R (node=<value optimized out>, detail=0, instance=0x80823b0, emission_return=0x0, instance_and_params=0x810ab48) at gsignal.c:3252
        tmp = <value optimized out>
        handler = 0x8092d60
        accumulator = 0x0
        emission = {next = 0xbfa71e78, instance = 0x80823b0, ihint = {signal_id = 94, detail = 0, run_type = G_SIGNAL_RUN_FIRST}, state = EMISSION_RUN, chain_type = 4}
        class_closure = 0x8091f28
        handler_list = 0x8092d60
        return_accu = 0x0
        accu = {g_type = 0, data = {{v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}, {v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, 
              v_pointer = 0x0}}}
        signal_id = 94
        max_sequential_handler_number = 81
        return_value_altered = 0
#12 0xb6f34a9f in g_signal_emit_valist (instance=0x80823b0, signal_id=94, detail=0, var_args=0xbfa71d1c "\234\060\364\266\300\253\020\b\340\211\v\b\364\357߶ ") at gsignal.c:2983
        instance_and_params = 0x810ab48
        signal_return_type = 4
        param_values = 0x810ab5c
        node = 0x8091f70
        i = <value optimized out>
        n_params = 0
        __PRETTY_FUNCTION__ = "g_signal_emit_valist"
#13 0xb6f34c33 in g_signal_emit (instance=0x80823b0, signal_id=94, detail=0) at gsignal.c:3040
        var_args = 0xbfa71d1c "\234\060\364\266\300\253\020\b\340\211\v\b\364\357߶ "
#14 0xb6df49c8 in xfce_panel_plugin_show_configure (provider=0x80823b0) at xfce-panel-plugin.c:1315
        plugin = 0x80823b0
        __PRETTY_FUNCTION__ = "xfce_panel_plugin_show_configure"
#15 0xb6f3548c in g_cclosure_marshal_VOID__VOID (closure=0x80c4ec8, return_value=0x0, n_param_values=1, param_values=0x810abc0, invocation_hint=0xbfa71e80, marshal_data=0x0) at gmarshal.c:79
        callback = 0xb6df48e0 <xfce_panel_plugin_show_configure>
        cc = 0x80c4ec8
        data1 = 0x80823b0
        data2 = <value optimized out>
        __PRETTY_FUNCTION__ = "g_cclosure_marshal_VOID__VOID"
#16 0xb6f179e4 in g_closure_invoke (closure=0x80c4ec8, return_value=0x0, n_param_values=1, param_values=0x810abc0, invocation_hint=0xbfa71e80) at gclosure.c:767
        marshal = 0xb6f35400 <g_cclosure_marshal_VOID__VOID>
        marshal_data = 0x0
        in_marshal = 0
        __PRETTY_FUNCTION__ = "g_closure_invoke"
#17 0xb6f2b674 in signal_emit_unlocked_R (node=<value optimized out>, detail=0, instance=0x80c9018, emission_return=0x0, instance_and_params=0x810abc0) at gsignal.c:3252
        tmp = <value optimized out>
        handler = 0x80b9380
        accumulator = 0x0
        emission = {next = 0xbfa722b8, instance = 0x80c9018, ihint = {signal_id = 120, detail = 0, run_type = G_SIGNAL_RUN_FIRST}, state = EMISSION_RUN, chain_type = 4}
        class_closure = 0x80c4cc0
        handler_list = 0x80b9380
        return_accu = 0x0
        accu = {g_type = 0, data = {{v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}, {v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, 
              v_pointer = 0x0}}}
        signal_id = 120
        max_sequential_handler_number = 81
        return_value_altered = 1
#18 0xb6f34a9f in g_signal_emit_valist (instance=0x80c9018, signal_id=120, detail=0, var_args=0xbfa7202c "\306b8\267") at gsignal.c:2983
        instance_and_params = 0x810abc0
        signal_return_type = 4
        param_values = 0x810abd4
        node = 0x80c4d10
        i = <value optimized out>
        n_params = 0
        __PRETTY_FUNCTION__ = "g_signal_emit_valist"
#19 0xb6f34c33 in g_signal_emit (instance=0x80c9018, signal_id=120, detail=0) at gsignal.c:3040
        var_args = 0xbfa7202c "\306b8\267"
#20 0xb766d275 in IA__gtk_widget_activate (widget=0x80c9018) at gtkwidget.c:5008
        __PRETTY_FUNCTION__ = "IA__gtk_widget_activate"
#21 0xb754e811 in IA__gtk_menu_shell_activate_item (menu_shell=0x80c6090, menu_item=0x80c9018, force_deactivate=1) at gtkmenushell.c:1256
        slist = <value optimized out>
        shells = 0x810a420
        deactivate = <value optimized out>
        __PRETTY_FUNCTION__ = "IA__gtk_menu_shell_activate_item"
#22 0xb754ebea in gtk_menu_shell_button_release (widget=0x80c6090, event=0x81dec68) at gtkmenushell.c:683
        submenu = 0x0
        menu_item = 0x80c9018
        deactivate = 1
        menu_shell = 0x80c6090
        priv = 0x80c6140
#23 0xb7543238 in gtk_menu_button_release (widget=0x80c6090, event=0x81dec68) at gtkmenu.c:3011
        priv = <value optimized out>
#24 0xb7539d84 in _gtk_marshal_BOOLEAN__BOXED (closure=0x8084850, return_value=0xbfa722d4, n_param_values=2, param_values=0x80c8278, invocation_hint=0xbfa722c0, marshal_data=0xb7543180) at gtkmarshalers.c:86
        callback = 0xb7543180 <gtk_menu_button_release>
        cc = 0x8084850
        data1 = <value optimized out>
        data2 = <value optimized out>
        v_return = <value optimized out>
        __PRETTY_FUNCTION__ = "_gtk_marshal_BOOLEAN__BOXED"
#25 0xb6f1627d in g_type_class_meta_marshal (closure=0x8084850, return_value=0xbfa722d4, n_param_values=2, param_values=0x80c8278, invocation_hint=0xbfa722c0, marshal_data=0xb4) at gclosure.c:878
        class = <value optimized out>
        callback = <value optimized out>
        offset = 180
#26 0xb6f179e4 in g_closure_invoke (closure=0x8084850, return_value=0xbfa722d4, n_param_values=2, param_values=0x80c8278, invocation_hint=0xbfa722c0) at gclosure.c:767
        marshal = 0xb6f16220 <g_type_class_meta_marshal>
        marshal_data = 0xb4
        in_marshal = 134593280
        __PRETTY_FUNCTION__ = "g_closure_invoke"
#27 0xb6f2b467 in signal_emit_unlocked_R (node=<value optimized out>, detail=0, instance=0x80c6090, emission_return=0xbfa7240c, instance_and_params=0x80c8278) at gsignal.c:3290
        accumulator = 0x80848a8
        emission = {next = 0x0, instance = 0x80c6090, ihint = {signal_id = 34, detail = 0, run_type = G_SIGNAL_RUN_LAST}, state = EMISSION_RUN, chain_type = 134834000}
        class_closure = 0x8084850
        handler_list = 0x0
        return_accu = 0xbfa722d4
        accu = {g_type = 20, data = {{v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}, {v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, 
              v_pointer = 0x0}}}
        signal_id = 34
        max_sequential_handler_number = 81
        return_value_altered = 0
#28 0xb6f3493a in g_signal_emit_valist (instance=0x80c6090, signal_id=34, detail=0, var_args=0xbfa72470 "\234$\247\277\330\033\b\b\230$\247\277\364\017\206\267\364\017\206\267\220`\f\b") at gsignal.c:2993
        return_value = {g_type = 20, data = {{v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}, {v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, 
              v_pointer = 0x0}}}
        error = 0x0
        rtype = <value optimized out>
        static_scope = 0
        instance_and_params = 0x80c8278
        signal_return_type = 20
        param_values = 0x80c828c
        node = 0x8084960
        i = <value optimized out>
        n_params = 1
        __PRETTY_FUNCTION__ = "g_signal_emit_valist"
#29 0xb6f34c33 in g_signal_emit (instance=0x80c6090, signal_id=34, detail=0) at gsignal.c:3040
        var_args = 0xbfa7246c "h\354\035\b\234$\247\277\330\033\b\b\230$\247\277\364\017\206\267\364\017\206\267\220`\f\b"
#30 0xb766e316 in gtk_widget_event_internal (widget=0x80c6090, event=0x81dec68) at gtkwidget.c:4977
        signal_num = <value optimized out>
        return_val = 0
#31 0xb7537f0d in IA__gtk_propagate_event (widget=0x80c6090, event=0x81dec68) at gtkmain.c:2460
        tmp = <value optimized out>
        handled_event = <value optimized out>
        __PRETTY_FUNCTION__ = "IA__gtk_propagate_event"
#32 0xb753830f in IA__gtk_main_do_event (event=<value optimized out>) at gtkmain.c:1665
        event_widget = 0x80c9018
        grab_widget = 0x80c9018
        window_group = 0x8092330
        rewritten_event = <value optimized out>
        tmp_list = <value optimized out>
        __PRETTY_FUNCTION__ = "IA__gtk_main_do_event"
#33 0xb739378a in gdk_event_dispatch (source=0x8081310, callback=0, user_data=0x0) at gdkevents-x11.c:2377
        display = <value optimized out>
        event = 0x81dec68
#34 0xb6e45589 in g_main_dispatch (context=0x80803a0) at gmain.c:2440
        dispatch = 0xb7393730 <gdk_event_dispatch>
        was_in_call = 0
        user_data = 0x0
        callback = 0
        cb_funcs = 0x0
        cb_data = 0x0
        current_source_link = {data = 0x8081310, next = 0x0}
        need_destroy = <value optimized out>
        source = 0x8081310
        current = 0x80b0528
        i = <value optimized out>
#35 g_main_context_dispatch (context=0x80803a0) at gmain.c:3013
No locals.
#36 0xb6e45d90 in g_main_context_iterate (context=0x80803a0, block=1, dispatch=1, self=0x8058f90) at gmain.c:3091
        max_priority = 2147483647
        timeout = 96
        some_ready = 1
        nfds = <value optimized out>
        allocated_nfds = <value optimized out>
        fds = <value optimized out>
        __PRETTY_FUNCTION__ = "g_main_context_iterate"
#37 0xb6e4646f in g_main_loop_run (loop=0x80b8118) at gmain.c:3299
        self = 0x8058f90
        __PRETTY_FUNCTION__ = "g_main_loop_run"
#38 0xb7536fd9 in IA__gtk_main () at gtkmain.c:1237
        tmp_list = <value optimized out>
        functions = 0x0
        init = <value optimized out>
        loop = 0x80b8118
#39 0x0804dca7 in main (argc=8, argv=0xbfa72804) at cpu.c:53
        plug = 0x808a828
        screen = <value optimized out>
        xpp = 0x80823b0
        unique_id = 6
        socket_id = <value optimized out>
        colormap = <value optimized out>
        value = <value optimized out>
        base_name = <value optimized out>
Comment 1 Guido Berhoerster 2011-02-09 13:44:23 CET
Created attachment 3467 
fix for buffer overflow

The problem is a buffer overflow due to the incorrect usage of g_snprintf in this construct:

items[i] = g_malloc( g_snprintf( NULL, 0, "%u", i ) );
g_sprintf( items[i], "%u", i );

g_snprintf just as snprintf returns the number of bytes excluding the terminating null byte, the g_sprintf then overflows the allocated buffer. glib provides g_strdup_printf () to prevent these kind of errors, the attached patch fixes it.

Bug #7247

Reported by:
Guido Berhoerster
Reported on: 2011-02-07
Last modified on: 2012-04-18

People

Assignee:
Landry Breuil
CC List:
1 user

Version

Attachments

fix for buffer overflow (735 bytes, patch)
2011-02-09 13:44 CET , Guido Berhoerster
no flags

Additional information