! Please note that this is a snapshot of our old Bugzilla server, which is read only since May 29, 2020. Please go to gitlab.xfce.org for our new server !
[PATCH] libxfconf crashes when consecutive calls are made
Status:
RESOLVED: FIXED
Severity:
critical
Product:
Xfconf
Component:
Libxfconf

Comments

Description Stefan Berzl 2017-08-26 01:55:46 CEST
Created attachment 7299 
The counter for calls

When there are many calls made for a property, for example when it's bound to a slider
( like for panel height ) and the slider is moved left and right rather fast, libxfconf crashes.
It might only happen when compiling libxfconf without optimizations and with -g, otherwise
the calls might be fast enough.

What happens is that xfconf_cache_set is invoked multiple times before
xfconf_cache_set_property_reply_handler, which I suppose is intended behavior.
The problem is that the first invocation of xfconf_cache_set_property_reply_handler
actually frees old_item and therefore the second invocation is likely to cause
undefined behavior or crash. What is needed is a counter and to only act on the
last invocation of the handler. I think the "!cache->pending_calls" was
intended to act like one, that's the impression I got from the comment at least,
but pending_calls is always set and doesn't do anything in the outlined situation.

The variant on the old_item needs to be freed so it doesn't leak.

Also SIG_PROPERTY_CHANGED hasn't been created as detailed signal and calling
it as such causes a warning saying just that.

Lastly, xfconf_cache_set has a path where the mutex isn't unlocked, is that
intentional?
Comment 1 Andre Miranda editbugs 2017-08-26 23:30:44 CEST
This issue also affects Thunar while resizing Detailed List columns, warnings are printed and Thunar crashes. With the proposed patch applied the problem is fixed.
Comment 2 Ali Abdallah editbugs 2017-08-29 16:19:05 CEST
The patch has been review and applied to git. Also the path in xfconf_cache_set in which the mutex isn't unlocked has been fixed as well.

Bug #13825

Reported by:
Stefan Berzl
Reported on: 2017-08-26
Last modified on: 2017-08-29

People

Assignee:
Brian J. Tarricone (not reading bugmail)
CC List:
2 users

Version

Version:
GIT Master

Attachments

The counter for calls (2.97 KB, patch)
2017-08-26 01:55 CEST , Stefan Berzl
no flags

Additional information