| Summary: | metacity segfaults in oxygen theme (gtk2) | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Thierry Vignaud <thierry.vignaud> |
| Component: | RPM Packages | Assignee: | Juan Luis Baptiste <juan.baptiste> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | major | ||
| Priority: | Normal | CC: | hugo.pereira, olav |
| Version: | Cauldron | Keywords: | PATCH, UPSTREAM |
| Target Milestone: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Source RPM: | oxygen-gtk-1.2.0-2.mga2.src.rpm | CVE: | |
| Status comment: | |||
| Attachments: |
GDB trace
patch (for testing) GDB trace with path applied another patch GDB trace v3 GDB trace |
||
|
Description
Thierry Vignaud
2012-02-04 19:05:32 CET
Thierry Vignaud
2012-02-04 19:05:58 CET
CC:
(none) =>
hugo Created attachment 1492 [details]
GDB trace
As you see Oxygen::QtSettings::loadKdeIcons() calls (though std::string template) strlen on a pointer that is in the first page (the NULL page) and thus segfault
Thierry Vignaud
2012-02-04 19:08:08 CET
Severity:
normal =>
major BTW you might want to look at https://bugs.mageia.org/buglist.cgi?cmdtype=runnamed&namedcmd=oxygen (also available from bugzilla>preferences>Saved Searches) The guilty code is (in details):
gchar** gtkSearchPath;
int nElements(0);
gtk_icon_theme_get_search_path( gtk_icon_theme_get_default(), >kSearchPath, &nElements );
for( int i=0; i<nElements; i++ ) { searchPath.insert( gtkSearchPath[i] ); }
So from the gtk method call, I was expecting, by construction, gtkSearchPath[i] not to be Null (never), or else it means nElements is just not calculated right.
(or do I not read c++ right ?)
This to say: can be easily fixed in oxygen-gtk, but this rather looks like a Gtk bug to me. Maybe its worth reporting it there.
Side note: can't reproduce. Could you also post the gtk version ? Created attachment 1493 [details]
patch (for testing)
Tentative patch.
Easy enough.
Could not test since I could not reproduce the crash in the first place.
Please report back and I'll push the patch upstream.
(PS 2: please also report the metacity version. Mine might be too old) gtk+2.0-2.24.9-1.mga2 metacity-2.34.1-5.mga2 thx ! I have gtk-2.24.8 and metacity-2.30.3-4.mga1 Will upgrade gtk (compiled from source) Can't guaranty metacity upgrade. Also, I'm 32bits. Created attachment 1494 [details]
GDB trace with path applied
Now it segfaults on free()
For the record, I'm running latest Mageia Cauldron. (I'm not :)) Anyway. I think the issue is that the initial output of gtk_icon_theme_get_search_path is 0. hence the "free" issue. Will post another patch. Created attachment 1495 [details]
another patch
Another tentative patch. In replacement for (and not on top of) the previous patch that did not work.
Created attachment 1496 [details]
GDB trace
still segfaulting...
Well, since 1/ I can't reproduce 2/ obviously gtkSearchPath is not null (from previous patch failing), but can't be freed (from previous crash report), it has to be a gtk bug (and/or meta city). Nothing I can do about it :( PS: just updated to gtk+-2.24.9 and metacity-2.34.1 Well only oxygen-gtk segfaults like this... Default adwaita theme works just fine with metacity Well. that doesn't prove anything, sorry to say. The other theme(s) likely don't call the guilty gtk function. Doesn't make it oxygen's fault, does it ? Anyway. after reading the documentation for gtk_icon_theme_get_search_path I'll give a shot to another patch (that uses g_strfreev() instead of g_free). Maybe that will fix the other crash. Created attachment 1497 [details]
v3
Created attachment 1499 [details]
GDB trace
Still segfaulting...
The last backtrace does not make much sense, sadly enough. If the crash is in "if( gtkSearchPath[i] )" it means that memory is corrupted. since the guy is direct out of a gtk call, it has to be a gtk bug. nothing I can do about it. Should rather be reported upstream. The upstream bug was closed as not a GTK bug: --- Comment #1 from Matthias Clasen <mclasen@redhat.com> 2012-02-10 01:42:56 UTC --- Taking a quick look at some of the stacktraces in the Mandriva bug: Gtk-CRITICAL **: IA__gtk_icon_theme_get_search_path: assertion `GTK_IS_ICON_THEME (icon_theme)' failed indicates that the GtkIconTheme object that gtk_icon_theme_get_search_path is called on is not valid. Anything after that critical is not really relevant...
Olav Vitters
2012-02-10 07:58:18 CET
CC:
(none) =>
olav oops wrong link. http://commits.kde.org/oxygen-gtk/b184eefe1c504b8c93114ae2a4bdcacf18b7f932 http://commits.kde.org/oxygen-gtk/7aa38197e9f37486b5c761fbff415bebe6cc48a3
Thierry Vignaud
2012-02-10 14:23:51 CET
Attachment 1493 is obsolete:
0 =>
1
Thierry Vignaud
2012-02-10 14:23:56 CET
Attachment 1494 is obsolete:
0 =>
1
Thierry Vignaud
2012-02-10 14:24:04 CET
Attachment 1495 is obsolete:
0 =>
1
Thierry Vignaud
2012-02-10 14:24:08 CET
Attachment 1496 is obsolete:
0 =>
1
Thierry Vignaud
2012-02-10 14:24:14 CET
Attachment 1497 is obsolete:
0 =>
1
Thierry Vignaud
2012-02-10 14:24:22 CET
Attachment 1499 is obsolete:
0 =>
1 I'd to rediff the patch to apply cleanly on 1.2.0 (looks like you commited one of the test patch). It definitively fix the bug one of my test machine. I'll do further testing tonight on another one. Interestingly, it doesn't happen in a chroot unless /var/run/dbus/ is binded on th chroot one. Thanks for the patch! Keywords:
(none) =>
PATCH, UPSTREAM I'll put back the suggest tag on oxygen-gtk in gtk+2.0 Checked on another test machine. Works fine too. Thanks for the fix. oxygen-gtk-1.2.0-3.mga2 is being uploaded with that fix. Status:
NEW =>
RESOLVED |