CUMODE_SPACE can segfault irssi when used in statusbar items.

[irssibot]

• • • Issue #795 opened by @shabble

[Posted on behalf of Freenode/#irssi SnoFox, who can't get his account to work]

Under certain conditions, it is possible to crash irssi through the use of the $CUMODE_SPACE expando. For SnoFox, a segfault occurs.

On a debug build, I get the following error:

irssi(3274) malloc: *** error for object 0x1fa778: Non-aligned pointer being freed

Steps to reproduce:

• create a new theme, and edit the prompt = "..."; line to contain $CUMODE_SPACE
• activate the theme
• connect to a server
• join a channel which will not op, voice, or give you any kind of channel modes automatically
• hit Ctrl-L to refresh, irssi should crash or error.

There are various other triggers as well. Anything that causes the expando to reevaluate its contents will result in this behaviour, but this is the simplest I've been able to reduce it to.

Investigations are currently underway. Signs so far point to the free occuring somewhere in statusbar.c:statusbar_item_default_handler.

Backtrace:

reakpoint 4, 0x929cb4a9 in malloc_error_break ()
(gdb) bt
#0  0x929cb4a9 in malloc_error_break ()
#1  0x929c6497 in szone_error ()
#2  0x928f0503 in szone_free ()
#3  0x928f036d in free ()
#4  0x00096c52 in parse_special_string (cmd=0x7b740d "e@$[.15]itemname) ", server=0x840600, item=0x7b7a20, data=0x1f4b74 "", arg_used=0x0, flags=<value temporarily unavailable, due to optimizations>) at special-vars.c:515
#5  0x0000e90b in statusbar_item_default_handler (item=0x73fb70, get_size_only=1, str=0x73fde7 "", data=0x1f4b74 "", escape_vars=1) at statusbar.c:699
#6  0x000103f7 in item_window_active (item=0x73fb70, get_size_only=1) at statusbar-items.c:49
#7  0x0000cd20 in statusbar_resize_items [inlined] () at statusbar.c:210
#8  0x0000cd20 in statusbar_calc_item_positions [inlined] () at statusbar.c:253
#9  0x0000cd20 in statusbar_redraw (bar=0x73ff40, force=1) at statusbar.c:331
#10 0x002eab81 in g_slist_foreach ()
#11 0x0000d037 in statusbar_redraw (bar=0x0, force=1) at statusbar.c:333
#12 0x00019589 in dirty_check () at irssi.c:128
#13 0x0001980f in main (argc=0, argv=0xbfffe320) at irssi.c:365

------

Notes:

Confirmed reproducable by 2 people, both running 0.8.15 on linux. (mine is latest git version, built with debugging)

I'll probably come back to this after I've finished poking around in gdb, but if anyone has any ideas, I'd love to hear them first.

Cheers,

Tom/Shabble.

[irssibot]

• • • Comment 1298 by @shabble

Additional notes:

The offending free is in core/special-varss.c:parse_special_string.

Specifically, line 515:

"if (need_free) g_free(ret);"

When the error messages are generated, need_free is true (obviously), and ret is a string containing a single space.

It appears to be because the need_free flag is being set incorrectly when ret contains a static string, hence the failure to free it.

The following patch unsets the flag for this specific condition. I'm not sure of hte ultimate implications, but it seems nicer than having to dynamically allocate 2 bytes just so we can free them again properly.

[irssibot]

• • • Attachment 244 by @shabble

fix-cumode_space.patch

From 35ddd45044388fe1f26e95c43ca0d8bcf30462fe Mon Sep 17 00:00:00 2001
From: Tom Feist <shabble@metavore.org>
Date: Sat, 19 Mar 2011 08:09:37 +0000
Subject: [PATCH] fix bug #795 by setting free_arg parameter correctly to false where the expando
 expansion is a static string.

---
 src/irc/core/irc-expandos.c |    8 +++++++-
 1 files changed, 7 insertions(+), 1 deletions(-)

diff --git a/src/irc/core/irc-expandos.c b/src/irc/core/irc-expandos.c
index 0c0da64..df692cc 100644
--- a/src/irc/core/irc-expandos.c
+++ b/src/irc/core/irc-expandos.c
@@ -106,7 +106,13 @@ static char *expando_cumode_space(SERVER_REC *server, void *item, int *free_ret)
                 return "";

    ret = expando_cumode(server, item, free_ret);
-   return *ret == '\0' ? " " : ret;
+
+   if (*ret == '\0') {
+       free_ret = FALSE;
+       return " ";
+   } else {
+       return ret;
+   }
 }

 static void event_join(IRC_SERVER_REC *server, const char *data,
-- 
1.7.4.1

[irssibot]

• • • Comment 1299 by @bazerka

Can you confirm you're actually getting this problem with the latest trunk (r5203)? As this seems to be a duplicate of #669 which was fixed with commit r5203.

[irssibot]

• • • Closed by @bazerka

Duplicate of #669 and fixed in r5203

[irssibot]

Duplicate of #669.