Opened 11 years ago

Closed 9 years ago

#6453 closed defect (fixed)

Bug buddy report

Reported by: Iwo Owned by: QuLogic
Milestone: 2.7.0 Component: MSN
Version: 2.4.3 Keywords:
Cc:

Description (last modified by datallah)

Hi guys, I use bug buddy software in Debian Testing, which wrote a bug when Pidgin 2.4.3 crashed. Maybe the reason is that that I tried to send a file by msn, when other person did not let the function be enable. This is report:

System: Linux 2.6.25-2-686 #1 SMP Fri Jul 18 17:46:56 UTC 2008 i686
X Vendor: The X.Org Foundation
X Vendor Release: 10402000
Selinux: No
Accessibility: Disabled
GTK+ Theme: Clearlooks
Icon Theme: gnome

Memory status: size: 136392704 vsize: 136392704 resident: 76591104 share: 19582976 rss: 76591104 rss_rlim: 4294967295
CPU usage: start_time: 1217160763 rtime: 6626 utime: 6156 stime: 470 cutime:20 cstime: 31 timeout: 0 it_real_value: 0 frequency: 100

Backtrace was generated from '/usr/bin/pidgin'

[Thread debugging using libthread_db enabled]
[New Thread 0xb71e1940 (LWP 3381)]
0xb7fc3424 in __kernel_vsyscall ()
#0  0xb7fc3424 in __kernel_vsyscall ()
#1  0xb77588eb in waitpid () from /lib/i686/cmov/libpthread.so.0
#2  0xb77d4ae3 in g_spawn_sync () from /usr/lib/libglib-2.0.so.0
#3  0xb77d4dec in g_spawn_command_line_sync () from /usr/lib/libglib-2.0.so.0
#4  0xb7021198 in ?? () from /usr/lib/gtk-2.0/modules/libgnomebreakpad.so
#5  <signal handler called>
#6  0xb7fc3424 in __kernel_vsyscall ()
#7  0xb7627ef5 in raise () from /lib/i686/cmov/libc.so.6
#8  0xb7629871 in abort () from /lib/i686/cmov/libc.so.6
#9  0x080bfd7b in sighandler (sig=11) at ../../pidgin/gtkmain.c:193
#10 <signal handler called>
#11 msn_slplink_add_slpcall (slplink=0xd500680, slpcall=0xd5ad100)
    at ../../../../libpurple/protocols/msnp9/slplink.c:184
#12 0xb66854bd in msn_slp_call_new (slplink=0xd500680)
    at ../../../../libpurple/protocols/msnp9/slpcall.c:69
#13 0xb6685762 in msn_slplink_request_ft (slplink=0xd500680, xfer=0xd601568)
    at ../../../../libpurple/protocols/msnp9/slplink.c:760
#14 0xb6677ff4 in t_msn_xfer_init (xfer=0xd601568)
    at ../../../../libpurple/protocols/msnp9/msn.c:447
#15 0xb78dd537 in purple_xfer_request_accepted (xfer=0xd601568, 
    filename=0xd62d1b8 "/home/iwo/fotki/Angels_Raphael_Cherubs_kaczynscy_a.jpg") at ../../libpurple/ft.c:530
#16 0xb78dd8ca in purple_xfer_choose_file_ok_cb (user_data=0xd601568, 
    filename=0xd62d1b8 "/home/iwo/fotki/Angels_Raphael_Cherubs_kaczynscy_a.jpg") at ../../libpurple/ft.c:295
#17 0x080d4469 in file_yes_no_cb (data=0xd5f5c98, id=1)
    at ../../pidgin/gtkrequest.c:1425
#18 0xb7834dbc in g_cclosure_marshal_VOID () from /usr/lib/libgobject-2.0.so.0
#19 0xb7827923 in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0
#20 0xb783ae9d in ?? () from /usr/lib/libgobject-2.0.so.0
#21 0x0d63d8f8 in ?? ()
#22 0x00000000 in ?? ()

Thread 1 (Thread 0xb71e1940 (LWP 3381)):
#0  0xb7fc3424 in __kernel_vsyscall ()
No symbol table info available.
#1  0xb77588eb in waitpid () from /lib/i686/cmov/libpthread.so.0
No symbol table info available.
#2  0xb77d4ae3 in g_spawn_sync () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
#3  0xb77d4dec in g_spawn_command_line_sync () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
#4  0xb7021198 in ?? () from /usr/lib/gtk-2.0/modules/libgnomebreakpad.so
No symbol table info available.
#5  <signal handler called>
No symbol table info available.
#6  0xb7fc3424 in __kernel_vsyscall ()
No symbol table info available.
#7  0xb7627ef5 in raise () from /lib/i686/cmov/libc.so.6
No symbol table info available.
#8  0xb7629871 in abort () from /lib/i686/cmov/libc.so.6
No symbol table info available.
#9  0x080bfd7b in sighandler (sig=11) at ../../pidgin/gtkmain.c:193
No locals.
#10 <signal handler called>
No symbol table info available.
#11 msn_slplink_add_slpcall (slplink=0xd500680, slpcall=0xd5ad100)
    at ../../../../libpurple/protocols/msnp9/slplink.c:184
No locals.
#12 0xb66854bd in msn_slp_call_new (slplink=0xd500680)
    at ../../../../libpurple/protocols/msnp9/slpcall.c:69
	slpcall = <value optimized out>
	__PRETTY_FUNCTION__ = "msn_slp_call_new"
#13 0xb6685762 in msn_slplink_request_ft (slplink=0xd500680, xfer=0xd601568)
    at ../../../../libpurple/protocols/msnp9/slplink.c:760
	slpcall = <value optimized out>
	context = <value optimized out>
	fn = 0xc652030 "Angels_Raphael_Cherubs_kaczynscy_a.jpg"
	fp = 0xc65baf0 "/home/iwo/fotki/Angels_Raphael_Cherubs_kaczynscy_a.jpg"
	__PRETTY_FUNCTION__ = "msn_slplink_request_ft"
#14 0xb6677ff4 in t_msn_xfer_init (xfer=0xd601568)
    at ../../../../libpurple/protocols/msnp9/msn.c:447
No locals.
#15 0xb78dd537 in purple_xfer_request_accepted (xfer=0xd601568, 
    filename=0xd62d1b8 "/home/iwo/fotki/Angels_Raphael_Cherubs_kaczynscy_a.jpg") at ../../libpurple/ft.c:530
	type = <value optimized out>
	st = {st_dev = 774, __pad1 = 0, __st_ino = 239224, st_mode = 33261, 
  st_nlink = 1, st_uid = 1000, st_gid = 1000, st_rdev = 0, __pad2 = 0, 
  st_size = 108742, st_blksize = 4096, st_blocks = 224, st_atim = {
    tv_sec = 1216913857, tv_nsec = 0}, st_mtim = {tv_sec = 1131472590, 
    tv_nsec = 0}, st_ctim = {tv_sec = 1213026049, tv_nsec = 0}, 
  st_ino = 239224}
	utf8 = 0xd500680 "\001"
	account = (PurpleAccount *) 0xa07f0a0
	buddy = (PurpleBuddy *) 0xc6534a8
#16 0xb78dd8ca in purple_xfer_choose_file_ok_cb (user_data=0xd601568, 
    filename=0xd62d1b8 "/home/iwo/fotki/Angels_Raphael_Cherubs_kaczynscy_a.jpg") at ../../libpurple/ft.c:295
	xfer = <value optimized out>
	st = {st_dev = 774, __pad1 = 0, __st_ino = 239224, st_mode = 33261, 
  st_nlink = 1, st_uid = 1000, st_gid = 1000, st_rdev = 0, __pad2 = 0, 
  st_size = 108742, st_blksize = 4096, st_blocks = 224, st_atim = {
    tv_sec = 1216913857, tv_nsec = 0}, st_mtim = {tv_sec = 1131472590, 
    tv_nsec = 0}, st_ctim = {tv_sec = 1213026049, tv_nsec = 0}, 
  st_ino = 239224}
	dir = <value optimized out>
#17 0x080d4469 in file_yes_no_cb (data=0xd5f5c98, id=1)
    at ../../pidgin/gtkrequest.c:1425
No locals.
#18 0xb7834dbc in g_cclosure_marshal_VOID () from /usr/lib/libgobject-2.0.so.0
No symbol table info available.
#19 0xb7827923 in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0
No symbol table info available.
#20 0xb783ae9d in ?? () from /usr/lib/libgobject-2.0.so.0
No symbol table info available.
#21 0x0d63d8f8 in ?? ()
No symbol table info available.
#22 0x00000000 in ?? ()
No symbol table info available.
#0  0xb7fc3424 in __kernel_vsyscall ()
The program is running.  Quit anyway (and detach it)? (y or n) [answered Y; input not from terminal]


----------- .xsession-errors (9246 sec old) ---------------------
gsttypefindelement.c(757): gst_type_find_element_activate (): /play/decodebin0/typefind
totem-video-thumbnailer couldn't open file 'file:///home/iwo/deluge/The%20Recruit%5B2003%5DDVDRip%5BEng%5D-NuMy.avi'
Reason: Nie udało się określić rodzaju strumienia..
** (gnome-video-thumbnailer:7912): WARNING **: Unknown codec ID 86022, please add here
** Message: Error: Nie udało się określić rodzaju strumienia.
gsttypefindelement.c(757): gst_type_find_element_activate (): /play/decodebin0/typefind
totem-video-thumbnailer couldn't open file 'file:///home/iwo/deluge/The%20Recruit%5B2003%5DDVDRip%5BEng%5D-NuMy.avi'
Reason: Nie udało się określić rodzaju strumienia..
** (gnome-video-thumbnailer:7919): WARNING **: Unknown codec ID 86022, please add here
...Too much output, ignoring rest...
--------------------------------------------------

Change History (7)

comment:1 Changed 11 years ago by datallah

  • Description modified (diff)

comment:2 Changed 11 years ago by bernmeister

Does this still occur in 2.5.1? Can you please verify?

comment:3 Changed 11 years ago by Sim-on

  • Status changed from new to pending

comment:4 Changed 11 years ago by trac-robot

  • Status changed from pending to closed

This ticket was closed automatically by the system. It was previously set to a Pending status and hasn't been updated within 14 days.

comment:5 Changed 9 years ago by QuLogic

  • Status changed from closed to new

Reproducible.

comment:6 Changed 9 years ago by QuLogic

  • Owner changed from khc to QuLogic

comment:7 Changed 9 years ago by qulogic@…

  • Milestone set to 2.7.0
  • Resolution set to fixed
  • Status changed from new to closed

(In 337967ea94c0d00f8a069e94718933d47a9d9c80):
Fix a possible use-after-free.

If the user initiated a file transfer while a display pic transfer was in progress, and that transfer finished before the user selected a file, then the MsnSlpLink? to that user could be used after it's freed. Also, if there were a conversation open to that user, then the slplink would not be freed, so the FT must be started from the buddy list.

Fixes #6453.

Note: See TracTickets for help on using tickets.
All information, including names and email addresses, entered onto this website or sent to mailing lists affiliated with this website will be public. Do not post confidential information, especially passwords!