Closed irssibot closed 13 years ago
The offending free is in core/special-varss.c:parse_special_string.
Specifically, line 515:
"if (need_free) g_free(ret);"
When the error messages are generated, need_free is true (obviously), and ret is a string containing a single space.
It appears to be because the need_free flag is being set incorrectly when ret contains a static string, hence the failure to free it.
The following patch unsets the flag for this specific condition. I'm not sure of hte ultimate implications, but it seems nicer than having to dynamically allocate 2 bytes just so we can free them again properly.
fix-cumode_space.patch
From 35ddd45044388fe1f26e95c43ca0d8bcf30462fe Mon Sep 17 00:00:00 2001
From: Tom Feist <shabble@metavore.org>
Date: Sat, 19 Mar 2011 08:09:37 +0000
Subject: [PATCH] fix bug #795 by setting free_arg parameter correctly to false where the expando
expansion is a static string.
---
src/irc/core/irc-expandos.c | 8 +++++++-
1 files changed, 7 insertions(+), 1 deletions(-)
diff --git a/src/irc/core/irc-expandos.c b/src/irc/core/irc-expandos.c
index 0c0da64..df692cc 100644
--- a/src/irc/core/irc-expandos.c
+++ b/src/irc/core/irc-expandos.c
@@ -106,7 +106,13 @@ static char *expando_cumode_space(SERVER_REC *server, void *item, int *free_ret)
return "";
ret = expando_cumode(server, item, free_ret);
- return *ret == '\0' ? " " : ret;
+
+ if (*ret == '\0') {
+ free_ret = FALSE;
+ return " ";
+ } else {
+ return ret;
+ }
}
static void event_join(IRC_SERVER_REC *server, const char *data,
--
1.7.4.1
Can you confirm you're actually getting this problem with the latest trunk (r5203)? As this seems to be a duplicate of #669 which was fixed with commit r5203.
Duplicate of #669 and fixed in r5203
Duplicate of #669.
[Posted on behalf of Freenode/#irssi SnoFox, who can't get his account to work]
Under certain conditions, it is possible to crash irssi through the use of the $CUMODE_SPACE expando. For SnoFox, a segfault occurs.
On a debug build, I get the following error:
irssi(3274) malloc: *** error for object 0x1fa778: Non-aligned pointer being freed
Steps to reproduce:
There are various other triggers as well. Anything that causes the expando to reevaluate its contents will result in this behaviour, but this is the simplest I've been able to reduce it to.
Investigations are currently underway. Signs so far point to the free occuring somewhere in statusbar.c:statusbar_item_default_handler.
Backtrace:
Notes:
Confirmed reproducable by 2 people, both running 0.8.15 on linux. (mine is latest git version, built with debugging)
I'll probably come back to this after I've finished poking around in gdb, but if anyone has any ideas, I'd love to hear them first.
Cheers,
Tom/Shabble.