Bug 2957 - Double-free in account preferences
Summary: Double-free in account preferences
Status: RESOLVED FIXED
Alias: None
Product: Claws Mail
Classification: Unclassified
Component: UI (show other bugs)
Version: 3.9.2
Hardware: PC Linux
: P3 normal
Assignee: users
URL:
Depends on:
Blocks:
 
Reported: 2013-07-08 12:52 CEST by Michael Schwendt
Modified: 2013-07-11 22:17 CEST (History)
0 users

See Also:


Attachments
gdb.txt (2 traces) (83.48 KB, application/octet-stream)
2013-07-08 15:49 CEST, kardan
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Schwendt 2013-07-08 12:52:05 CEST
There has been a commit to fix this, but I don't think it's complete:

  http://git.claws-mail.org/?p=claws.git;a=commitdiff;h=8cd3d8443dfd5ab9cfa0880ac76d3e78de7a0dd4

Steps to reproduce:

1. start Claws Mail
2. open menu "Configuration > Edit accounts..."
3. click "New"
4. cancel the dialog "Preferences for new account"
5. click "New" again
6. -> crash (if not, cancel the dialog, too)
Comment 1 kardan 2013-07-08 15:49:44 CEST
Created attachment 1282 [details]
gdb.txt (2 traces)

true, happends without any plugins loaded.

prefswindow.c:177:prefs window closed
prefs_account.c:3699:called inc_unlock (lock count 1)
prefs_account.c:3675:Opening account preferences window...
prefs_account.c:3677:called inc_lock (lock count 2)
==3639== Invalid free() / delete / delete[] / realloc()
==3639==    at 0x402A24C: free (vg_replace_malloc.c:446)
==3639==    by 0x4B8356A: standard_free (gmem.c:98)
==3639==    by 0x4B836DF: g_free (gmem.c:252)
==3639==    by 0x815A8D1: prefs_set_default (prefs_gtk.c:433)
==3639==    by 0x813D3AD: prefs_account_new (prefs_account.c:3440)
==3639==    by 0x813DEC4: prefs_account_open (prefs_account.c:3682)
==3639==    by 0x8082D79: account_add (account.c:413)
==3639==    by 0x4AF4A36: g_cclosure_marshal_VOID__VOIDv (gmarshal.c:115)
==3639==    by 0x4AF2F00: _g_closure_invoke_va (gclosure.c:840)
==3639==    by 0x4B0C6FD: g_signal_emit_valist (gsignal.c:3234)
==3639==    by 0x4B0D2B2: g_signal_emit (gsignal.c:3384)
==3639==    by 0x410FD49: gtk_button_clicked (gtkbutton.c:1128)
==3639==  Address 0x1053c758 is 0 bytes inside a block of size 1 free'd
==3639==    at 0x402A24C: free (vg_replace_malloc.c:446)
==3639==    by 0x4B8356A: standard_free (gmem.c:98)
==3639==    by 0x4B836DF: g_free (gmem.c:252)
==3639==    by 0x815B069: prefs_free (prefs_gtk.c:531)
==3639==    by 0x813DBC2: prefs_account_free (prefs_account.c:3607)
==3639==    by 0x813DF05: prefs_account_open (prefs_account.c:3704)
==3639==    by 0x8082D79: account_add (account.c:413)
==3639==    by 0x4AF49CE: g_cclosure_marshal_VOID__VOID (gmarshal.c:85)
==3639==    by 0x4AF2C55: g_closure_invoke (gclosure.c:777)
==3639==    by 0x4B04ED6: signal_emit_unlocked_R (gsignal.c:3584)
==3639==    by 0x4B0D0DA: g_signal_emit_valist (gsignal.c:3328)
==3639==    by 0x4B0D2B2: g_signal_emit (gsignal.c:3384)

Also all dictionaries are loaded twice

gtkaspell.c:1590:Aspell: found dictionary de de
gtkaspell.c:1590:Aspell: found dictionary de_AT de_AT
gtkaspell.c:1590:Aspell: found dictionary de_CH de_CH
gtkaspell.c:1590:Aspell: found dictionary de_DE de_DE
gtkaspell.c:1590:Aspell: found dictionary en_US en_US
gtkaspell.c:1590:Aspell: found dictionary de de
gtkaspell.c:1590:Aspell: found dictionary de_AT de_AT
gtkaspell.c:1590:Aspell: found dictionary de_CH de_CH
gtkaspell.c:1590:Aspell: found dictionary de_DE de_DE
gtkaspell.c:1590:Aspell: found dictionary en_US en_US
Comment 2 users 2013-07-08 18:08:04 CEST
Changes related to this bug have been committed.
Please check latest Git and update the bug accordingly.
You can also get the patch from:
http://git.claws-mail.org/

http://git.claws-mail.org/?p=claws.git;a=commitdiff;h=306bf2ef35f2d074d786a85bcf5454cfc5f4b2e1
Author: Paul <paul@claws-mail.org>
Date:   Mon Jul 8 17:05:09 2013 +0100

    fix bug 2957, 'Double-free in account preferences'
Comment 3 Paul 2013-07-09 10:20:31 CEST
@kardan: please try to keep these bug reports succinct and to the point. Everything necessary to reproduce the bug was given by Michael. There was no need to add an attachment or any further comments, it was easily reproducible. It was nothing to do with plugins, and the dictionaries are loaded twice because there are 2 options where a dictionary is selected.
Comment 4 kardan 2013-07-10 07:04:23 CEST
thanks for the hint. If I add too much information, this is because I do not know, if this important information. Like this valgrind trace after applying the patch.

1. create new account
2. cancel
3. new

prefswindow.c:711:0,000000
prefswindow.c:177:prefs window closed
prefs_account.c:3699:called inc_unlock (lock count 1)
prefs_account.c:3675:Opening account preferences window...
prefs_account.c:3677:called inc_lock (lock count 2)
==26498== Invalid free() / delete / delete[] / realloc()
==26498==    at 0x402A24C: free (vg_replace_malloc.c:446)
==26498==    by 0x4C1A56A: standard_free (gmem.c:98)
==26498==    by 0x4C1A6DF: g_free (gmem.c:252)
==26498==    by 0x8162C71: prefs_set_default (in /usr/bin/claws-mail)
==26498==    by 0x814621D: prefs_account_new (in /usr/bin/claws-mail)
==26498==    by 0x8146D2C: prefs_account_open (in /usr/bin/claws-mail)
==26498==    by 0x808D289: account_add (in /usr/bin/claws-mail)
==26498==    by 0x4B8AA36: g_cclosure_marshal_VOID__VOIDv (gmarshal.c:115)
==26498==    by 0x4B88F00: _g_closure_invoke_va (gclosure.c:840)
==26498==    by 0x4BA26FD: g_signal_emit_valist (gsignal.c:3234)
==26498==    by 0x4BA32B2: g_signal_emit (gsignal.c:3384)
==26498==    by 0x410FD49: gtk_button_clicked (gtkbutton.c:1128)
==26498==  Address 0x741cbd0 is 0 bytes inside a block of size 1 free'd
==26498==    at 0x402A24C: free (vg_replace_malloc.c:446)
==26498==    by 0x4C1A56A: standard_free (gmem.c:98)
==26498==    by 0x4C1A6DF: g_free (gmem.c:252)
==26498==    by 0x8163468: prefs_free (in /usr/bin/claws-mail)
==26498==    by 0x8146A32: prefs_account_free (in /usr/bin/claws-mail)
==26498==    by 0x8146D6D: prefs_account_open (in /usr/bin/claws-mail)
==26498==    by 0x808D289: account_add (in /usr/bin/claws-mail)
==26498==    by 0x4B8A9CE: g_cclosure_marshal_VOID__VOID (gmarshal.c:85)
==26498==    by 0x4B88C55: g_closure_invoke (gclosure.c:777)
==26498==    by 0x410FD49: gtk_button_clicked (gtkbutton.c:1128)
==26498==  Address 0x741cbd0 is 0 bytes inside a block of size 1 free'd
==26498==    at 0x402A24C: free (vg_replace_malloc.c:446)
==26498==    by 0x4C1A56A: standard_free (gmem.c:98)
==26498==    by 0x4C1A6DF: g_free (gmem.c:252)
==26498==    by 0x8163468: prefs_free (in /usr/bin/claws-mail)
==26498==    by 0x8146A32: prefs_account_free (in /usr/bin/claws-mail)
==26498==    by 0x8146D6D: prefs_account_open (in /usr/bin/claws-mail)
==26498==    by 0x808D289: account_add (in /usr/bin/claws-mail)
==26498==    by 0x4B8A9CE: g_cclosure_marshal_VOID__VOID (gmarshal.c:85)
==26498==    by 0x4B88C55: g_closure_invoke (gclosure.c:777)
==26498==    by 0x4B9AED6: signal_emit_unlocked_R (gsignal.c:3584)
==26498==    by 0x4BA30DA: g_signal_emit_valist (gsignal.c:3328)
==26498==    by 0x4BA32B2: g_signal_emit (gsignal.c:3384)
Comment 5 Michael Schwendt 2013-07-10 09:44:27 CEST
Is this with Paul's second commit or with just the first one? It seems to match the valgrind output you've attached in comment 1.

With the complete fix, I cannot reproduce the crashes anymore:
http://pkgs.fedoraproject.org/cgit/claws-mail.git/plain/claws-mail-3.9.2-account-double-free.patch?id=c90b105f83e34af9ff49779ab00b9fcfedc173c2
Comment 6 kardan 2013-07-11 22:17:01 CEST
With the 2nd. The bug is fixed, the mem error still happens.