diff --git a/0001-gui-wizard-gtk-Fix-a-double-free-condition.patch b/0001-gui-wizard-gtk-Fix-a-double-free-condition.patch deleted file mode 100644 index c000d30..0000000 --- a/0001-gui-wizard-gtk-Fix-a-double-free-condition.patch +++ /dev/null @@ -1,53 +0,0 @@ -From ce557c0fb309184a9a8fc38a76404324d94803b0 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Mat=C4=9Bj=20Grabovsk=C3=BD?= -Date: Fri, 25 Sep 2020 19:23:51 +0200 -Subject: [PATCH] gui-wizard-gtk: Fix a double free condition - -We may only free `log_msg` in `update_command_run_log()` if it is the -result of the call to `g_strdup_printf()`, otherwise the caller takes -care of it. - -Partially reverts 7aba6e53. - -Resolves rhbz#1882319 ---- - src/gui-wizard-gtk/wizard.c | 12 +++++++++--- - 1 file changed, 9 insertions(+), 3 deletions(-) - -diff --git a/src/gui-wizard-gtk/wizard.c b/src/gui-wizard-gtk/wizard.c -index 8a4486f2..a532c633 100644 ---- a/src/gui-wizard-gtk/wizard.c -+++ b/src/gui-wizard-gtk/wizard.c -@@ -1385,7 +1385,7 @@ static void cancel_processing(GtkLabel *status_label, const char *message, int t - pango_attr_list_unref(list); - } - --static void update_command_run_log(const char* message, struct analyze_event_data *evd) -+static void update_command_run_log(char *message, struct analyze_event_data *evd) - { - const bool it_is_a_dot = (message[0] == '.' && message[1] == '\0'); - -@@ -1393,12 +1393,18 @@ static void update_command_run_log(const char* message, struct analyze_event_dat - gtk_label_set_text(g_lbl_event_log, message); - - /* Don't append new line behind single dot */ -- g_autofree const char *log_msg = it_is_a_dot ? message : g_strdup_printf("%s\n", message); -+ char *log_msg = it_is_a_dot ? message : g_strdup_printf("%s\n", message); - append_to_textview(g_tv_event_log, log_msg); - save_to_event_log(evd, log_msg); -+ -+ if (log_msg != message) -+ { -+ /* We assume message is managed by the caller. */ -+ free(log_msg); -+ } - } - --static void run_event_gtk_error(const char *error_line, void *param) -+static void run_event_gtk_error(char *error_line, void *param) - { - update_command_run_log(error_line, (struct analyze_event_data *)param); - } --- -2.26.2 - diff --git a/0001-gui-wizard-gtk-wizard-Remove-variable.patch b/0001-gui-wizard-gtk-wizard-Remove-variable.patch new file mode 100644 index 0000000..9537db0 --- /dev/null +++ b/0001-gui-wizard-gtk-wizard-Remove-variable.patch @@ -0,0 +1,39 @@ +From 1c646a2948d287368ec1a82b444e8175ebfbf5b9 Mon Sep 17 00:00:00 2001 +From: Ernestas Kulik +Date: Tue, 25 Aug 2020 15:05:31 +0300 +Subject: [PATCH] gui-wizard-gtk: wizard: Remove variable + +cmd_output is no longer used since +440bcfa8526d50f122ec14e19f2bf2aa336f61e7 and trying to call +g_string_free() on it results in a critical warning. +--- + src/gui-wizard-gtk/wizard.c | 6 ------ + 1 file changed, 6 deletions(-) + +diff --git a/src/gui-wizard-gtk/wizard.c b/src/gui-wizard-gtk/wizard.c +index 44900448..a4d7caa0 100644 +--- a/src/gui-wizard-gtk/wizard.c ++++ b/src/gui-wizard-gtk/wizard.c +@@ -231,8 +231,6 @@ typedef struct + + static page_obj_t pages[NUM_PAGES]; + +-static GString *cmd_output = NULL; +- + /* Utility functions */ + + static void clear_warnings(void); +@@ -1667,10 +1665,6 @@ static gboolean consume_cmd_output(GIOChannel *source, GIOCondition condition, g + log_notice("done running event on '%s': %d", g_dump_dir_name, retval); + append_to_textview(g_tv_event_log, "\n"); + +- /* Free child output buffer */ +- g_string_free(cmd_output, TRUE); +- cmd_output = NULL; +- + /* Hide spinner and stop btn */ + gtk_widget_hide(GTK_WIDGET(g_spinner_event_log)); + gtk_widget_hide(g_btn_stop); +-- +2.28.0 + diff --git a/0002-gui-wizard-gtk-Fix-a-segfault-and-memory-leak.patch b/0002-gui-wizard-gtk-Fix-a-segfault-and-memory-leak.patch deleted file mode 100644 index 2b38feb..0000000 --- a/0002-gui-wizard-gtk-Fix-a-segfault-and-memory-leak.patch +++ /dev/null @@ -1,66 +0,0 @@ -From cb2ab9a8b2e1dbc89e100aedc432c29a16246e84 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Mat=C4=9Bj=20Grabovsk=C3=BD?= -Date: Sun, 27 Sep 2020 20:45:32 +0200 -Subject: [PATCH] gui-wizard-gtk: Fix a segfault and memory leak - -Only `arg[1]` has to be freed in `tv_details_row_activated()`, as -`arg[0]` is allocated statically. - -In `search_item_to_list_store_item()`, `tmp` gets overwritten with a new -value for every call to `gtk_text_buffer_get_text()`, so we need to free -the allocated memory continuously. - -Partially reverts 7aba6e53. - -Resolves rhbz#1882950 ---- - src/gui-wizard-gtk/wizard.c | 9 +++++++-- - 1 file changed, 7 insertions(+), 2 deletions(-) - -diff --git a/src/gui-wizard-gtk/wizard.c b/src/gui-wizard-gtk/wizard.c -index a532c633..775b709f 100644 ---- a/src/gui-wizard-gtk/wizard.c -+++ b/src/gui-wizard-gtk/wizard.c -@@ -707,7 +707,7 @@ static void tv_details_row_activated( - return; - - gint exitcode; -- g_autofree gchar *arg[3]; -+ gchar *arg[3]; - arg[0] = (char *) "xdg-open"; - arg[1] = g_build_filename(g_dump_dir_name ? g_dump_dir_name : "", item_name, NULL); - arg[2] = NULL; -@@ -751,6 +751,8 @@ static void tv_details_row_activated( - gtk_widget_destroy(scrolled); - gtk_widget_destroy(dialog); - } -+ -+ g_free(arg[1]); - } - - /* static gboolean tv_details_select_cursor_row( -@@ -2126,17 +2128,20 @@ static void search_item_to_list_store_item(GtkListStore *store, GtkTreeIter *new - gtk_text_iter_backward_char(end); - } - -- g_autofree gchar *tmp = gtk_text_buffer_get_text(word->buffer, beg, &(word->start), -+ gchar *tmp = gtk_text_buffer_get_text(word->buffer, beg, &(word->start), - /*don't include hidden chars*/FALSE); - g_autofree gchar *prefix = g_markup_escape_text(tmp, /*NULL terminated string*/-1); -+ g_free(tmp); - - tmp = gtk_text_buffer_get_text(word->buffer, &(word->start), &(word->end), - /*don't include hidden chars*/FALSE); - g_autofree gchar *text = g_markup_escape_text(tmp, /*NULL terminated string*/-1); -+ g_free(tmp); - - tmp = gtk_text_buffer_get_text(word->buffer, &(word->end), end, - /*don't include hidden chars*/FALSE); - g_autofree gchar *suffix = g_markup_escape_text(tmp, /*NULL terminated string*/-1); -+ g_clear_pointer(&tmp, g_free); - - char *content = g_strdup_printf("%s%s%s", prefix, text, suffix); - --- -2.26.2 - diff --git a/0002-gui-wizard-gtk-wizard-Fix-invalid-memory-read.patch b/0002-gui-wizard-gtk-wizard-Fix-invalid-memory-read.patch new file mode 100644 index 0000000..ed46b09 --- /dev/null +++ b/0002-gui-wizard-gtk-wizard-Fix-invalid-memory-read.patch @@ -0,0 +1,49 @@ +From 85b687098bcedb67285ab787b8bd506d328c34e0 Mon Sep 17 00:00:00 2001 +From: Ernestas Kulik +Date: Tue, 25 Aug 2020 15:17:54 +0300 +Subject: [PATCH] gui-wizard-gtk: wizard: Fix invalid memory read +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This partially reverts 7aba6e53bbfeedaacd95bbaa5e0c5e325a3e6a8d, which +results in “event” being inappropriately freed before a “goto” statement +is executed and the value stored in “g_event_selected” is read. +--- + src/gui-wizard-gtk/wizard.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/gui-wizard-gtk/wizard.c b/src/gui-wizard-gtk/wizard.c +index a4d7caa0..3e69a513 100644 +--- a/src/gui-wizard-gtk/wizard.c ++++ b/src/gui-wizard-gtk/wizard.c +@@ -2635,7 +2635,7 @@ static gint select_next_page_no(gint current_page_no) + + log_info("%s: Looking for next event to process", __func__); + /* (note: this frees and sets to NULL g_event_selected) */ +- g_autofree char *event = setup_next_processed_event(&g_auto_event_list); ++ char *event = setup_next_processed_event(&g_auto_event_list); + if (!event) + { + current_page_no = PAGENO_EVENT_PROGRESS - 1; +@@ -2644,6 +2644,8 @@ static gint select_next_page_no(gint current_page_no) + + if (!get_sensitive_data_permission(event)) + { ++ free(event); ++ + cancel_processing(g_lbl_event_log, /* default message */ NULL, TERMINATE_NOFLAGS); + current_page_no = PAGENO_EVENT_PROGRESS - 1; + goto again; +@@ -2659,6 +2661,8 @@ static gint select_next_page_no(gint current_page_no) + + if (libreport_get_global_stop_on_not_reportable()) + { ++ free(event); ++ + cancel_processing(g_lbl_event_log, msg, TERMINATE_NOFLAGS); + current_page_no = PAGENO_EVENT_PROGRESS - 1; + goto again; +-- +2.28.0 + diff --git a/0003-gui-wizard-gtk-Fix-a-double-free-condition.patch b/0003-gui-wizard-gtk-Fix-a-double-free-condition.patch new file mode 100644 index 0000000..c000d30 --- /dev/null +++ b/0003-gui-wizard-gtk-Fix-a-double-free-condition.patch @@ -0,0 +1,53 @@ +From ce557c0fb309184a9a8fc38a76404324d94803b0 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20Grabovsk=C3=BD?= +Date: Fri, 25 Sep 2020 19:23:51 +0200 +Subject: [PATCH] gui-wizard-gtk: Fix a double free condition + +We may only free `log_msg` in `update_command_run_log()` if it is the +result of the call to `g_strdup_printf()`, otherwise the caller takes +care of it. + +Partially reverts 7aba6e53. + +Resolves rhbz#1882319 +--- + src/gui-wizard-gtk/wizard.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/src/gui-wizard-gtk/wizard.c b/src/gui-wizard-gtk/wizard.c +index 8a4486f2..a532c633 100644 +--- a/src/gui-wizard-gtk/wizard.c ++++ b/src/gui-wizard-gtk/wizard.c +@@ -1385,7 +1385,7 @@ static void cancel_processing(GtkLabel *status_label, const char *message, int t + pango_attr_list_unref(list); + } + +-static void update_command_run_log(const char* message, struct analyze_event_data *evd) ++static void update_command_run_log(char *message, struct analyze_event_data *evd) + { + const bool it_is_a_dot = (message[0] == '.' && message[1] == '\0'); + +@@ -1393,12 +1393,18 @@ static void update_command_run_log(const char* message, struct analyze_event_dat + gtk_label_set_text(g_lbl_event_log, message); + + /* Don't append new line behind single dot */ +- g_autofree const char *log_msg = it_is_a_dot ? message : g_strdup_printf("%s\n", message); ++ char *log_msg = it_is_a_dot ? message : g_strdup_printf("%s\n", message); + append_to_textview(g_tv_event_log, log_msg); + save_to_event_log(evd, log_msg); ++ ++ if (log_msg != message) ++ { ++ /* We assume message is managed by the caller. */ ++ free(log_msg); ++ } + } + +-static void run_event_gtk_error(const char *error_line, void *param) ++static void run_event_gtk_error(char *error_line, void *param) + { + update_command_run_log(error_line, (struct analyze_event_data *)param); + } +-- +2.26.2 + diff --git a/0004-gui-wizard-gtk-Fix-a-segfault-and-memory-leak.patch b/0004-gui-wizard-gtk-Fix-a-segfault-and-memory-leak.patch new file mode 100644 index 0000000..2b38feb --- /dev/null +++ b/0004-gui-wizard-gtk-Fix-a-segfault-and-memory-leak.patch @@ -0,0 +1,66 @@ +From cb2ab9a8b2e1dbc89e100aedc432c29a16246e84 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20Grabovsk=C3=BD?= +Date: Sun, 27 Sep 2020 20:45:32 +0200 +Subject: [PATCH] gui-wizard-gtk: Fix a segfault and memory leak + +Only `arg[1]` has to be freed in `tv_details_row_activated()`, as +`arg[0]` is allocated statically. + +In `search_item_to_list_store_item()`, `tmp` gets overwritten with a new +value for every call to `gtk_text_buffer_get_text()`, so we need to free +the allocated memory continuously. + +Partially reverts 7aba6e53. + +Resolves rhbz#1882950 +--- + src/gui-wizard-gtk/wizard.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/src/gui-wizard-gtk/wizard.c b/src/gui-wizard-gtk/wizard.c +index a532c633..775b709f 100644 +--- a/src/gui-wizard-gtk/wizard.c ++++ b/src/gui-wizard-gtk/wizard.c +@@ -707,7 +707,7 @@ static void tv_details_row_activated( + return; + + gint exitcode; +- g_autofree gchar *arg[3]; ++ gchar *arg[3]; + arg[0] = (char *) "xdg-open"; + arg[1] = g_build_filename(g_dump_dir_name ? g_dump_dir_name : "", item_name, NULL); + arg[2] = NULL; +@@ -751,6 +751,8 @@ static void tv_details_row_activated( + gtk_widget_destroy(scrolled); + gtk_widget_destroy(dialog); + } ++ ++ g_free(arg[1]); + } + + /* static gboolean tv_details_select_cursor_row( +@@ -2126,17 +2128,20 @@ static void search_item_to_list_store_item(GtkListStore *store, GtkTreeIter *new + gtk_text_iter_backward_char(end); + } + +- g_autofree gchar *tmp = gtk_text_buffer_get_text(word->buffer, beg, &(word->start), ++ gchar *tmp = gtk_text_buffer_get_text(word->buffer, beg, &(word->start), + /*don't include hidden chars*/FALSE); + g_autofree gchar *prefix = g_markup_escape_text(tmp, /*NULL terminated string*/-1); ++ g_free(tmp); + + tmp = gtk_text_buffer_get_text(word->buffer, &(word->start), &(word->end), + /*don't include hidden chars*/FALSE); + g_autofree gchar *text = g_markup_escape_text(tmp, /*NULL terminated string*/-1); ++ g_free(tmp); + + tmp = gtk_text_buffer_get_text(word->buffer, &(word->end), end, + /*don't include hidden chars*/FALSE); + g_autofree gchar *suffix = g_markup_escape_text(tmp, /*NULL terminated string*/-1); ++ g_clear_pointer(&tmp, g_free); + + char *content = g_strdup_printf("%s%s%s", prefix, text, suffix); + +-- +2.26.2 + diff --git a/libreport.spec b/libreport.spec index c160ab3..2d609f8 100644 --- a/libreport.spec +++ b/libreport.spec @@ -15,13 +15,15 @@ Summary: Generic library for reporting various problems Name: libreport Version: 2.14.0 -Release: 8%{?dist} +Release: 9%{?dist} License: GPLv2+ URL: https://abrt.readthedocs.org/ Source: https://github.com/abrt/%{name}/archive/%{version}/%{name}-%{version}.tar.gz -Patch0: 0001-gui-wizard-gtk-Fix-a-double-free-condition.patch -Patch1: 0002-gui-wizard-gtk-Fix-a-segfault-and-memory-leak.patch +Patch0: 0001-gui-wizard-gtk-wizard-Remove-variable.patch +Patch1: 0002-gui-wizard-gtk-wizard-Fix-invalid-memory-read.patch +Patch2: 0003-gui-wizard-gtk-Fix-a-double-free-condition.patch +Patch3: 0004-gui-wizard-gtk-Fix-a-segfault-and-memory-leak.patch BuildRequires: %{dbus_devel} BuildRequires: gtk3-devel @@ -662,6 +664,9 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || : %endif %changelog +* Sun Sep 27 2020 Matěj Grabovský - 2.14.0-9 +- Add upstream fixes for memory management + * Sun Sep 27 2020 Matěj Grabovský - 2.14.0-8 - Add fix for https://bugzilla.redhat.com/show_bug.cgi?id=1882950