Freeciv

[Freeciv-tickets] [freeciv] #48807: S3_1 gtk4 heap-use-after-free

• Previous message (by thread): [Freeciv-tickets] [freeciv] #48807: S3_1 gtk4 heap-use-after-free
• Next message (by thread): [Freeciv-tickets] [freeciv] #48807: S3_1 gtk4 heap-use-after-free
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

#48807: S3_1 gtk4 heap-use-after-free

  Open Date: 2023-10-05 19:17
Last Update: 2023-10-05 23:07

URL for this Ticket:
    https://osdn.net//projects/freeciv/ticket/48807
RSS feed for this Ticket:
    https://osdn.net/ticket/ticket_rss.php?group_id=12505&tid=48807

---------------------------------------------------------------------

Last Changes/Comment on this Ticket:
2023-10-05 23:07 Updated by: cazfi
 * Owner Update from (None) to cazfi
 * Resolution Update from None to Accepted
 * Milestone Update from (None) to 3.0.9
 * Component Update from Gtk4-client to Gtk3.22-client

Comment:

All gtk-clients in all branches affected - attached patch for S2_6 too.

---------------------------------------------------------------------
Ticket Status:

      Reporter: mortmann
         Owner: cazfi
          Type: Bugs
        Status: Open [Owner assigned]
      Priority: 5 - Medium
     MileStone: 3.0.9
     Component: Gtk3.22-client
      Severity: 5 - Medium
    Resolution: Accepted
---------------------------------------------------------------------

Ticket details:

freeciv version:
commit cafcd4dc3bb719103e30f80d65ff58c90efdebb9 (HEAD -> S3_1, upstream/S3_1)'''
==522926==ERROR: AddressSanitizer: heap-use-after-free on address 0x606001b82ea0 at pc 0x55b4e8caf048 bp 0x7ffd9391b0c0 sp 0x7ffd9391b0b0
READ of size 8 at 0x606001b82ea0 thread T0
    #0 0x55b4e8caf047 in gui_dialog_destroy_handler /home/michael/usr/src/freeciv/client/gui-gtk-4.0/gui_stuff.c:309
    #1 0x7fdca46336bf in g_closure_invoke (/usr/lib/libgobject-2.0.so.0+0x146bf) (BuildId: 68d8df890dcc1311df318b77f511832cd7809468)
    #2 0x7fdca4661a35  (/usr/lib/libgobject-2.0.so.0+0x42a35) (BuildId: 68d8df890dcc1311df318b77f511832cd7809468)
    #3 0x7fdca4652a41  (/usr/lib/libgobject-2.0.so.0+0x33a41) (BuildId: 68d8df890dcc1311df318b77f511832cd7809468)
    #4 0x7fdca4652c76 in g_signal_emit_valist (/usr/lib/libgobject-2.0.so.0+0x33c76) (BuildId: 68d8df890dcc1311df318b77f511832cd7809468)
    #5 0x7fdca4652d33 in g_signal_emit (/usr/lib/libgobject-2.0.so.0+0x33d33) (BuildId: 68d8df890dcc1311df318b77f511832cd7809468)
    #6 0x7fdca406e458  (/usr/lib/libgtk-4.so.1+0x26e458) (BuildId: 14e58babc8b32d2debb7dedffcabf4b1502e30e2)
    #7 0x7fdca46417e2 in g_object_unref (/usr/lib/libgobject-2.0.so.0+0x227e2) (BuildId: 68d8df890dcc1311df318b77f511832cd7809468)
    #8 0x7fdca407b722  (/usr/lib/libgtk-4.so.1+0x27b722) (BuildId: 14e58babc8b32d2debb7dedffcabf4b1502e30e2)
    #9 0x7fdca4062e70  (/usr/lib/libgtk-4.so.1+0x262e70) (BuildId: 14e58babc8b32d2debb7dedffcabf4b1502e30e2)
    #10 0x7fdca40655b8  (/usr/lib/libgtk-4.so.1+0x2655b8) (BuildId: 14e58babc8b32d2debb7dedffcabf4b1502e30e2)
    #11 0x7fdca4077573  (/usr/lib/libgtk-4.so.1+0x277573) (BuildId: 14e58babc8b32d2debb7dedffcabf4b1502e30e2)
    #12 0x7fdca4077573  (/usr/lib/libgtk-4.so.1+0x277573) (BuildId: 14e58babc8b32d2debb7dedffcabf4b1502e30e2)
    #13 0x7fdca4077573  (/usr/lib/libgtk-4.so.1+0x277573) (BuildId: 14e58babc8b32d2debb7dedffcabf4b1502e30e2)
    #14 0x7fdca3fa6d6c  (/usr/lib/libgtk-4.so.1+0x1a6d6c) (BuildId: 14e58babc8b32d2debb7dedffcabf4b1502e30e2)
    #15 0x7fdca46336bf in g_closure_invoke (/usr/lib/libgobject-2.0.so.0+0x146bf) (BuildId: 68d8df890dcc1311df318b77f511832cd7809468)
    #16 0x7fdca46620e9  (/usr/lib/libgobject-2.0.so.0+0x430e9) (BuildId: 68d8df890dcc1311df318b77f511832cd7809468)
    #17 0x7fdca4652a41  (/usr/lib/libgobject-2.0.so.0+0x33a41) (BuildId: 68d8df890dcc1311df318b77f511832cd7809468)
    #18 0x7fdca4652c76 in g_signal_emit_valist (/usr/lib/libgobject-2.0.so.0+0x33c76) (BuildId: 68d8df890dcc1311df318b77f511832cd7809468)
    #19 0x7fdca4652d33 in g_signal_emit (/usr/lib/libgobject-2.0.so.0+0x33d33) (BuildId: 68d8df890dcc1311df318b77f511832cd7809468)
    #20 0x7fdca3fa38c3  (/usr/lib/libgtk-4.so.1+0x1a38c3) (BuildId: 14e58babc8b32d2debb7dedffcabf4b1502e30e2)
    #21 0x55b4e8cafad4 in gui_dialog_destroy /home/michael/usr/src/freeciv/client/gui-gtk-4.0/gui_stuff.c:883
    #22 0x55b4e8c71a3d in diplomacy_main_destroy /home/michael/usr/src/freeciv/client/gui-gtk-4.0/diplodlg.c:632
    #23 0x55b4e8c71a3d in diplomacy_destroy /home/michael/usr/src/freeciv/client/gui-gtk-4.0/diplodlg.c:690
    #24 0x55b4e8c7665d in close_diplomacy_dialog /home/michael/usr/src/freeciv/client/gui-gtk-4.0/diplodlg.c:1232
    #25 0x55b4e8c7665d in handle_diplomacy_cancel_meeting /home/michael/usr/src/freeciv/client/gui-gtk-4.0/diplodlg.c:168
    #26 0x55b4e8b7e0b9 in client_handle_packet /home/michael/usr/src/freeciv/client/packhand_gen.c:242
    #27 0x55b4e8a79ab6 in client_packet_input /home/michael/usr/src/freeciv/client/client_main.c:792
    #28 0x55b4e8a90c40 in input_from_server /home/michael/usr/src/freeciv/client/clinet.c:420
    #29 0x55b4e8a6d6d5 in get_net_input /home/michael/usr/src/freeciv/client/gui-gtk-4.0/gui_main.c:2210
    #30 0x7fdca3b34f18  (/usr/lib/libglib-2.0.so.0+0x59f18) (BuildId: 83fcea20d7e17c3e243c56bbfa4d3743106f38f8)
    #31 0x7fdca3b932b6  (/usr/lib/libglib-2.0.so.0+0xb82b6) (BuildId: 83fcea20d7e17c3e243c56bbfa4d3743106f38f8)
    #32 0x7fdca3b33111 in g_main_context_iteration (/usr/lib/libglib-2.0.so.0+0x58111) (BuildId: 83fcea20d7e17c3e243c56bbfa4d3743106f38f8)
    #33 0x7fdca3d06af5 in g_application_run (/usr/lib/libgio-2.0.so.0+0xdfaf5) (BuildId: c1d76a967ca95a1486c789b33f8338587ff9e394)
    #34 0x55b4e8a70431 in ui_main /home/michael/usr/src/freeciv/client/gui-gtk-4.0/gui_main.c:1860
    #35 0x55b4e8a7cb64 in client_main /home/michael/usr/src/freeciv/client/client_main.c:703
    #36 0x55b4e8a6feb9 in main /home/michael/usr/src/freeciv/client/gui-gtk-4.0/gui_main.c:1672
    #37 0x7fdca3245ccf  (/usr/lib/libc.so.6+0x27ccf) (BuildId: 8bfe03f6bf9b6a6e2591babd0bbc266837d8f658)
    #38 0x7fdca3245d89 in __libc_start_main (/usr/lib/libc.so.6+0x27d89) (BuildId: 8bfe03f6bf9b6a6e2591babd0bbc266837d8f658)
    #39 0x55b4e8a6d044 in _start (/home/michael/opt/freeciv-3.1-20231005/bin/freeciv-gtk4+0xa21044) (BuildId: ec3779dfe108f334e64fc47a65ec56f688d0c1f2)

0x606001b82ea0 is located 32 bytes inside of 64-byte region [0x606001b82e80,0x606001b82ec0)
freed by thread T0 here:
    #0 0x7fdca72dfdb2 in __interceptor_free /usr/src/debug/gcc/gcc/libsanitizer/asan/asan_malloc_linux.cpp:52
    #1 0x55b4e8c7188d in diplomacy_destroy /home/michael/usr/src/freeciv/client/gui-gtk-4.0/diplodlg.c:676

previously allocated by thread T0 here:
    #0 0x7fdca72e1359 in __interceptor_malloc /usr/src/debug/gcc/gcc/libsanitizer/asan/asan_malloc_linux.cpp:69
    #1 0x55b4e9166ca0 in fc_real_malloc /home/michael/usr/src/freeciv/utility/mem.c:89


-- 
Ticket information of Freeciv project
Freeciv Project is hosted on OSDN

Project URL: https://osdn.net/projects/freeciv/
OSDN: https://osdn.net

URL for this Ticket:
    https://osdn.net/projects/freeciv/ticket/48807
RSS feed for this Ticket:
    https://osdn.net/ticket/ticket_rss.php?group_id=12505&tid=48807

• Previous message (by thread): [Freeciv-tickets] [freeciv] #48807: S3_1 gtk4 heap-use-after-free
• Next message (by thread): [Freeciv-tickets] [freeciv] #48807: S3_1 gtk4 heap-use-after-free
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]