Bug 2957

Summary: Double-free in account preferences
Product: Claws Mail (GTK 2) Reporter: Michael Schwendt <mschwendt>
Component: UIAssignee: users
Status: RESOLVED FIXED    
Severity: normal    
Priority: P3    
Version: 3.9.2   
Hardware: PC   
OS: Linux   
Attachments:
Description Flags
gdb.txt (2 traces) none

Description Michael Schwendt 2013-07-08 12:52:05 UTC 
There has been a commit to fix this, but I don't think it's complete:

  http://git.claws-mail.org/?p=claws.git;a=commitdiff;h=8cd3d8443dfd5ab9cfa0880ac76d3e78de7a0dd4

Steps to reproduce:

1. start Claws Mail
2. open menu "Configuration > Edit accounts..."
3. click "New"
4. cancel the dialog "Preferences for new account"
5. click "New" again
6. -> crash (if not, cancel the dialog, too)
Comment 1 kardan 2013-07-08 15:49:44 UTC 
Created attachment 1282 [details]
gdb.txt (2 traces)

true, happends without any plugins loaded.

prefswindow.c:177:prefs window closed
prefs_account.c:3699:called inc_unlock (lock count 1)
prefs_account.c:3675:Opening account preferences window...
prefs_account.c:3677:called inc_lock (lock count 2)
==3639== Invalid free() / delete / delete[] / realloc()
==3639==    at 0x402A24C: free (vg_replace_malloc.c:446)
==3639==    by 0x4B8356A: standard_free (gmem.c:98)
==3639==    by 0x4B836DF: g_free (gmem.c:252)
==3639==    by 0x815A8D1: prefs_set_default (prefs_gtk.c:433)
==3639==    by 0x813D3AD: prefs_account_new (prefs_account.c:3440)
==3639==    by 0x813DEC4: prefs_account_open (prefs_account.c:3682)
==3639==    by 0x8082D79: account_add (account.c:413)
==3639==    by 0x4AF4A36: g_cclosure_marshal_VOID__VOIDv (gmarshal.c:115)
==3639==    by 0x4AF2F00: _g_closure_invoke_va (gclosure.c:840)
==3639==    by 0x4B0C6FD: g_signal_emit_valist (gsignal.c:3234)
==3639==    by 0x4B0D2B2: g_signal_emit (gsignal.c:3384)
==3639==    by 0x410FD49: gtk_button_clicked (gtkbutton.c:1128)
==3639==  Address 0x1053c758 is 0 bytes inside a block of size 1 free'd
==3639==    at 0x402A24C: free (vg_replace_malloc.c:446)
==3639==    by 0x4B8356A: standard_free (gmem.c:98)
==3639==    by 0x4B836DF: g_free (gmem.c:252)
==3639==    by 0x815B069: prefs_free (prefs_gtk.c:531)
==3639==    by 0x813DBC2: prefs_account_free (prefs_account.c:3607)
==3639==    by 0x813DF05: prefs_account_open (prefs_account.c:3704)
==3639==    by 0x8082D79: account_add (account.c:413)
==3639==    by 0x4AF49CE: g_cclosure_marshal_VOID__VOID (gmarshal.c:85)
==3639==    by 0x4AF2C55: g_closure_invoke (gclosure.c:777)
==3639==    by 0x4B04ED6: signal_emit_unlocked_R (gsignal.c:3584)
==3639==    by 0x4B0D0DA: g_signal_emit_valist (gsignal.c:3328)
==3639==    by 0x4B0D2B2: g_signal_emit (gsignal.c:3384)

Also all dictionaries are loaded twice

gtkaspell.c:1590:Aspell: found dictionary de de
gtkaspell.c:1590:Aspell: found dictionary de_AT de_AT
gtkaspell.c:1590:Aspell: found dictionary de_CH de_CH
gtkaspell.c:1590:Aspell: found dictionary de_DE de_DE
gtkaspell.c:1590:Aspell: found dictionary en_US en_US
gtkaspell.c:1590:Aspell: found dictionary de de
gtkaspell.c:1590:Aspell: found dictionary de_AT de_AT
gtkaspell.c:1590:Aspell: found dictionary de_CH de_CH
gtkaspell.c:1590:Aspell: found dictionary de_DE de_DE
gtkaspell.c:1590:Aspell: found dictionary en_US en_US
Comment 2 users 2013-07-08 18:08:04 UTC 
Changes related to this bug have been committed.
Please check latest Git and update the bug accordingly.
You can also get the patch from:
http://git.claws-mail.org/

http://git.claws-mail.org/?p=claws.git;a=commitdiff;h=306bf2ef35f2d074d786a85bcf5454cfc5f4b2e1
Author: Paul <paul@claws-mail.org>
Date:   Mon Jul 8 17:05:09 2013 +0100

    fix bug 2957, 'Double-free in account preferences'
Comment 3 Paul 2013-07-09 10:20:31 UTC 
@kardan: please try to keep these bug reports succinct and to the point. Everything necessary to reproduce the bug was given by Michael. There was no need to add an attachment or any further comments, it was easily reproducible. It was nothing to do with plugins, and the dictionaries are loaded twice because there are 2 options where a dictionary is selected.
Comment 4 kardan 2013-07-10 07:04:23 UTC 
thanks for the hint. If I add too much information, this is because I do not know, if this important information. Like this valgrind trace after applying the patch.

1. create new account
2. cancel
3. new

prefswindow.c:711:0,000000
prefswindow.c:177:prefs window closed
prefs_account.c:3699:called inc_unlock (lock count 1)
prefs_account.c:3675:Opening account preferences window...
prefs_account.c:3677:called inc_lock (lock count 2)
==26498== Invalid free() / delete / delete[] / realloc()
==26498==    at 0x402A24C: free (vg_replace_malloc.c:446)
==26498==    by 0x4C1A56A: standard_free (gmem.c:98)
==26498==    by 0x4C1A6DF: g_free (gmem.c:252)
==26498==    by 0x8162C71: prefs_set_default (in /usr/bin/claws-mail)
==26498==    by 0x814621D: prefs_account_new (in /usr/bin/claws-mail)
==26498==    by 0x8146D2C: prefs_account_open (in /usr/bin/claws-mail)
==26498==    by 0x808D289: account_add (in /usr/bin/claws-mail)
==26498==    by 0x4B8AA36: g_cclosure_marshal_VOID__VOIDv (gmarshal.c:115)
==26498==    by 0x4B88F00: _g_closure_invoke_va (gclosure.c:840)
==26498==    by 0x4BA26FD: g_signal_emit_valist (gsignal.c:3234)
==26498==    by 0x4BA32B2: g_signal_emit (gsignal.c:3384)
==26498==    by 0x410FD49: gtk_button_clicked (gtkbutton.c:1128)
==26498==  Address 0x741cbd0 is 0 bytes inside a block of size 1 free'd
==26498==    at 0x402A24C: free (vg_replace_malloc.c:446)
==26498==    by 0x4C1A56A: standard_free (gmem.c:98)
==26498==    by 0x4C1A6DF: g_free (gmem.c:252)
==26498==    by 0x8163468: prefs_free (in /usr/bin/claws-mail)
==26498==    by 0x8146A32: prefs_account_free (in /usr/bin/claws-mail)
==26498==    by 0x8146D6D: prefs_account_open (in /usr/bin/claws-mail)
==26498==    by 0x808D289: account_add (in /usr/bin/claws-mail)
==26498==    by 0x4B8A9CE: g_cclosure_marshal_VOID__VOID (gmarshal.c:85)
==26498==    by 0x4B88C55: g_closure_invoke (gclosure.c:777)
==26498==    by 0x410FD49: gtk_button_clicked (gtkbutton.c:1128)
==26498==  Address 0x741cbd0 is 0 bytes inside a block of size 1 free'd
==26498==    at 0x402A24C: free (vg_replace_malloc.c:446)
==26498==    by 0x4C1A56A: standard_free (gmem.c:98)
==26498==    by 0x4C1A6DF: g_free (gmem.c:252)
==26498==    by 0x8163468: prefs_free (in /usr/bin/claws-mail)
==26498==    by 0x8146A32: prefs_account_free (in /usr/bin/claws-mail)
==26498==    by 0x8146D6D: prefs_account_open (in /usr/bin/claws-mail)
==26498==    by 0x808D289: account_add (in /usr/bin/claws-mail)
==26498==    by 0x4B8A9CE: g_cclosure_marshal_VOID__VOID (gmarshal.c:85)
==26498==    by 0x4B88C55: g_closure_invoke (gclosure.c:777)
==26498==    by 0x4B9AED6: signal_emit_unlocked_R (gsignal.c:3584)
==26498==    by 0x4BA30DA: g_signal_emit_valist (gsignal.c:3328)
==26498==    by 0x4BA32B2: g_signal_emit (gsignal.c:3384)
Comment 5 Michael Schwendt 2013-07-10 09:44:27 UTC 
Is this with Paul's second commit or with just the first one? It seems to match the valgrind output you've attached in comment 1.

With the complete fix, I cannot reproduce the crashes anymore:
http://pkgs.fedoraproject.org/cgit/claws-mail.git/plain/claws-mail-3.9.2-account-double-free.patch?id=c90b105f83e34af9ff49779ab00b9fcfedc173c2
Comment 6 kardan 2013-07-11 22:17:01 UTC 
With the 2nd. The bug is fixed, the mem error still happens.