View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0037409 | Lazarus | Widgetset | public | 2020-07-23 12:36 | 2020-07-25 09:24 |
| Reporter | Martin Friebe | Assigned To | Mattias Gaertner | ||
| Priority | normal | Severity | minor | Reproducibility | always |
| Status | resolved | Resolution | fixed | ||
| Platform | Linux | OS | Fedora | ||
| Product Version | 2.1 (SVN) | ||||
| Summary | 0037409: Dangling pointer access in TGtk2WidgetSet.CombineRgn | ||||
| Description | Just did a valgrind run of the IDE (startup only) and found this. (see below) It appears that TGtk2WidgetSet.CombineRgn is doing the following line 1834 DObj := {%H-}PGdiObject(Dest); DObj points to Dest line 1849 RGN_AND : D := PGDKRegion(gdk_region_intersect(S1, S2)); create a new region line 1865 if Assigned(DObj^.GDIRegionObject) then gdk_region_destroy(DObj^.GDIRegionObject); DObj^.GDIRegionObject := D; The newly created region is stored as part of DObj/Dest line 1872 DeleteObject(Dest); Dest := CreateEmptyRegion; Result := RegionType(D); Dest is deleted. According to the valgrind trace, that also frees "D" As a result "RegionType" is called with a dangling pointer. I have not invested more time into this, but I guess it should do if the "Result := RegionType(D);" is moved up 2 lines, before the DeleteObject? ==3401== Invalid read of size 8 ==3401== at 0x52933AB: gdk_region_empty (in /usr/lib64/libgdk-x11-2.0.so.0.2400.32) ==3401== by 0x668E5A: GTK2PROC_$$_REGIONTYPE$PGDKREGION$$LONGINT (gtk2proc.inc:1448) ==3401== by 0x4FB313: GTK2INT$_$TGTK2WIDGETSET_$__$$_COMBINERGN$HRGN$HRGN$HRGN$LONGINT$$LONGINT (gtk2winapi.inc:1874) ==3401== by 0x65DA12: INTERFACEBASE$_$TWIDGETSET_$__$$_RECTVISIBLE$HDC$TRECT$$BOOLEAN (intfbasewinapi.inc:1851) ==3401== by 0x506D10: GTK2INT$_$TGTK2WIDGETSET_$__$$_RECTVISIBLE$HDC$TRECT$$BOOLEAN (gtk2winapi.inc:7339) ==3401== by 0x5BC981: LCLINTF_$$_RECTVISIBLE$HDC$TRECT$$BOOLEAN (winapi.inc:795) ==3401== by 0x59823C: CONTROLS$_$TWINCONTROL_$__$$_PAINTCONTROLS$HDC$TCONTROL (wincontrol.inc:4945) ==3401== by 0x598059: CONTROLS$_$TWINCONTROL_$__$$_PAINTHANDLER$TLMPAINT (wincontrol.inc:4880) ==3401== by 0x59C6C9: CONTROLS$_$TWINCONTROL_$__$$_WMPAINT$TLMPAINT (wincontrol.inc:6850) ==3401== by 0x5B16DB: CONTROLS$_$TCUSTOMCONTROL_$__$$_WMPAINT$TLMPAINT (customcontrol.inc:98) ==3401== by 0x431ADE: SYSTEM$_$TOBJECT_$__$$_DISPATCH$formal (in /home/m/laz/lazgit/lazarus) ==3401== by 0x59951C: CONTROLS$_$TWINCONTROL_$__$$_WNDPROC$TLMESSAGE (wincontrol.inc:5429) ==3401== Address 0xd07aff8 is 8 bytes inside a block of size 40 free'd ==3401== at 0x4C2FDAC: free (vg_replace_malloc.c:530) ==3401== by 0x63BE4D1: g_free (in /usr/lib64/libglib-2.0.so.0.5600.1) ==3401== by 0x63D6723: g_slice_free1 (in /usr/lib64/libglib-2.0.so.0.5600.1) ==3401== by 0x4F576E: GTK2INT$_$TGTK2WIDGETSET_$__$$_RELEASEGDIOBJECT$PGDIOBJECT$$BOOLEAN (gtk2widgetset.inc:5755) ==3401== by 0x4FB3B6: GTK2INT$_$TGTK2WIDGETSET_$__$$_DELETEOBJECT$HGDIOBJ$$BOOLEAN (gtk2winapi.inc:1941) ==3401== by 0x4FB2F5: GTK2INT$_$TGTK2WIDGETSET_$__$$_COMBINERGN$HRGN$HRGN$HRGN$LONGINT$$LONGINT (gtk2winapi.inc:1872) ==3401== by 0x65DA12: INTERFACEBASE$_$TWIDGETSET_$__$$_RECTVISIBLE$HDC$TRECT$$BOOLEAN (intfbasewinapi.inc:1851) ==3401== by 0x506D10: GTK2INT$_$TGTK2WIDGETSET_$__$$_RECTVISIBLE$HDC$TRECT$$BOOLEAN (gtk2winapi.inc:7339) ==3401== by 0x5BC981: LCLINTF_$$_RECTVISIBLE$HDC$TRECT$$BOOLEAN (winapi.inc:795) ==3401== by 0x59823C: CONTROLS$_$TWINCONTROL_$__$$_PAINTCONTROLS$HDC$TCONTROL (wincontrol.inc:4945) ==3401== by 0x598059: CONTROLS$_$TWINCONTROL_$__$$_PAINTHANDLER$TLMPAINT (wincontrol.inc:4880) ==3401== by 0x59C6C9: CONTROLS$_$TWINCONTROL_$__$$_WMPAINT$TLMPAINT (wincontrol.inc:6850) ==3401== Block was alloc'd at ==3401== at 0x4C2EBAB: malloc (vg_replace_malloc.c:299) ==3401== by 0x63BE3C5: g_malloc (in /usr/lib64/libglib-2.0.so.0.5600.1) ==3401== by 0x63D5FF6: g_slice_alloc (in /usr/lib64/libglib-2.0.so.0.5600.1) ==3401== by 0x5292931: gdk_region_new (in /usr/lib64/libgdk-x11-2.0.so.0.2400.32) ==3401== by 0x5292AA6: gdk_region_copy (in /usr/lib64/libgdk-x11-2.0.so.0.2400.32) ==3401== by 0x664FBC: GTK2PROC_$$_GDK_REGION_INTERSECT$PGDKREGION$PGDKREGION$$PGDKREGION (gtk2proc.inc:161) ==3401== by 0x4FB229: GTK2INT$_$TGTK2WIDGETSET_$__$$_COMBINERGN$HRGN$HRGN$HRGN$LONGINT$$LONGINT (gtk2winapi.inc:1849) ==3401== by 0x65DA12: INTERFACEBASE$_$TWIDGETSET_$__$$_RECTVISIBLE$HDC$TRECT$$BOOLEAN (intfbasewinapi.inc:1851) ==3401== by 0x506D10: GTK2INT$_$TGTK2WIDGETSET_$__$$_RECTVISIBLE$HDC$TRECT$$BOOLEAN (gtk2winapi.inc:7339) ==3401== by 0x5BC981: LCLINTF_$$_RECTVISIBLE$HDC$TRECT$$BOOLEAN (winapi.inc:795) ==3401== by 0x59823C: CONTROLS$_$TWINCONTROL_$__$$_PAINTCONTROLS$HDC$TCONTROL (wincontrol.inc:4945) ==3401== by 0x598059: CONTROLS$_$TWINCONTROL_$__$$_PAINTHANDLER$TLMPAINT (wincontrol.inc:4880) ==3401== | ||||
| Tags | No tags attached. | ||||
| Fixed in Revision | 63635. | ||||
| LazTarget | - | ||||
| Widgetset | GTK 2 | ||||
| Attached Files |
| ||||
| related to | 0037219 | closed | Juha Manninen | GTK2: TextRect and regions |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2020-07-23 12:36 | Martin Friebe | New Issue | |
| 2020-07-23 18:27 | Mattias Gaertner | Assigned To | => Mattias Gaertner |
| 2020-07-23 18:27 | Mattias Gaertner | Status | new => resolved |
| 2020-07-23 18:27 | Mattias Gaertner | Resolution | open => fixed |
| 2020-07-23 18:27 | Mattias Gaertner | Fixed in Revision | => 63635. |
| 2020-07-23 18:27 | Mattias Gaertner | LazTarget | => - |
| 2020-07-23 18:27 | Mattias Gaertner | Widgetset | GTK 2 => GTK 2 |
| 2020-07-25 09:24 | Juha Manninen | Relationship added | related to 0037219 |
