tgl icon indicating copy to clipboard operation
tgl copied to clipboard
verified publisher icon vysheng

Nullpointer dereference when freeing message media after fetching complete history

Open majn opened this issue 10 years ago • 2 comments

How to reproduce

  1. Call tgl_do_get_difference and set the flag to sync from start.
  2. Load every single received message photo
  3. Call tgl_free_all()

This will cause a nullpointer dereference in libtgl:

    (lldb) bt
    thread #1: tid = 0x440cf0, 0x000000010e127dbb telegram-adium`tgls_free_photo(TLS=0x0000000102804200, P=0x0000000000000000) + 27 at structures.c:1702, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x10)
    frame #0: 0x000000010e127dbb telegram-adium`tgls_free_photo(TLS=0x0000000102804200, P=0x0000000000000000) + 27 at structures.c:1702
    frame #1: 0x000000010e1283be telegram-adium`tgls_free_message_media(TLS=<unavailable>, M=0x0000608001530e64) + 78 at structures.c:1757
    frame #2: 0x000000010e12889d telegram-adium`tgls_free_message [inlined] tgls_clear_message(M=<unavailable>) + 77 at structures.c:1841
    frame #3: 0x000000010e128860 telegram-adium`tgls_free_message(TLS=<unavailable>, M=0x0000608001530e00) + 16 at structures.c:1858
    frame #4: 0x000000010e129428 telegram-adium`tree_act_ex_message(T=0x0000608001035040, act=0x000000010e129e30, extra=0x0000000102804200) + 56 at structures.c:85
    frame #5: 0x000000010e12941e telegram-adium`tree_act_ex_message(T=0x00006080010350c0, act=0x000000010e129e30, extra=0x0000000102804200) + 46 at structures.c:85
    frame #6: 0x000000010e12941e telegram-adium`tree_act_ex_message(T=0x0000608001035120, act=0x000000010e129e30, extra=0x0000000102804200) + 46 at structures.c:85
    frame #7: 0x000000010e12941e telegram-adium`tree_act_ex_message(T=0x0000608001035260, act=0x000000010e129e30, extra=0x0000000102804200) + 46 at structures.c:85
    frame #8: 0x000000010e12941e telegram-adium`tree_act_ex_message(T=0x00006080010354e0, act=0x000000010e129e30, extra=0x0000000102804200) + 46 at structures.c:85
    frame #9: 0x000000010e12941e telegram-adium`tree_act_ex_message(T=0x00006080010355c0, act=0x000000010e129e30, extra=0x0000000102804200) + 46 at structures.c:85
    frame #10: 0x000000010e12941e telegram-adium`tree_act_ex_message(T=0x000060800043be00, act=0x000000010e129e30, extra=0x0000000102804200) + 46 at structures.c:85
    frame #11: 0x000000010e12941e telegram-adium`tree_act_ex_message(T=0x0000608001239a80, act=0x000000010e129e30, extra=0x0000000102804200) + 46 at structures.c:85
    frame #12: 0x000000010e129ebe telegram-adium`tgl_free_all(TLS=0x0000000102804200) + 110 at structures.c:2202
    frame #13: 0x000000010e10a53e telegram-adium`connection_data_free(conn=0x00006080002c02a0) + 222 at tgp-structs.c:118
    frame #14: 0x000000010e0ee303 telegram-adium`tgprpl_close(gc=0x00006080002a0f00) + 51 at telegram-purple.c:609
    frame #15: 0x00000001007fbda6 libpurple`_purple_connection_destroy + 240
    frame #16: 0x00000001007e9cb2 libpurple`purple_account_disconnect + 168
    frame #17: 0x000000010041bee4 AdiumLibpurple`-[CBPurpleAccount disconnect] + 146
    frame #18: 0x000000010041c777 AdiumLibpurple`-[CBPurpleAccount updateStatusForKey:] + 50
    frame #19: 0x000000010041eefe AdiumLibpurple`-[CBPurpleAccount preferencesChangedForGroup:key:object:preferenceDict:firstTime:] + 94
    frame #20: 0x00000001000f3d00 Adium`___lldb_unnamed_function3759$$Adium + 394
    frame #21: 0x000000010011993d Adium`___lldb_unnamed_function4361$$Adium + 308
    frame #22: 0x00000001004db187 Adium`-[AIAccount(Abstract) setShouldBeOnline:] + 70
    frame #23: 0x00000001000ecda8 Adium`___lldb_unnamed_function3671$$Adium + 706
    frame #24: 0x00007fff8df6a7bc CoreFoundation`__invoking___ + 140
    frame #25: 0x00007fff8df6a612 CoreFoundation`-[NSInvocation invoke] + 290
    frame #26: 0x00007fff8e00a5c6 CoreFoundation`-[NSInvocation invokeWithTarget:] + 54
    frame #27: 0x00007fff983d04eb Foundation`__NSFireDelayedPerform + 364
    frame #28: 0x00007fff8dfe62e4 CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 20
    frame #29: 0x00007fff8dfe5f73 CoreFoundation`__CFRunLoopDoTimer + 1059
    frame #30: 0x00007fff8e05953d CoreFoundation`__CFRunLoopDoTimers + 301
    frame #31: 0x00007fff8dfa1608 CoreFoundation`__CFRunLoopRun + 2024
    frame #32: 0x00007fff8dfa0bd8 CoreFoundation`CFRunLoopRunSpecific + 296
    frame #33: 0x00007fff8a7aa56f HIToolbox`RunCurrentEventLoopInMode + 235
    frame #34: 0x00007fff8a7aa1ee HIToolbox`ReceiveNextEventCommon + 179
    frame #35: 0x00007fff8a7aa12b HIToolbox`_BlockUntilNextEventMatchingListInModeWithFilter + 71
    frame #36: 0x00007fff8c9048ab AppKit`_DPSNextEvent + 978
    frame #37: 0x00007fff8c903e58 AppKit`-[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 346
    frame #38: 0x00007fff8c8f9af3 AppKit`-[NSApplication run] + 594
    frame #39: 0x00007fff8c876244 AppKit`NSApplicationMain + 1832
    frame #40: 0x0000000100002584 Adium`___lldb_unnamed_function1$$Adium + 52

Using libtgl in my project on commit https://github.com/majn/telegram-purple/commit/1004a4005d04e6bf41c255fc2fc54a07ede1b006 , the libtgl version is my own modified branch including my recent pull request https://github.com/majn/tgl/commit/126b42c6d281841acc541735e845d94c54298f46 , although the changes don't seem to affect this issues.

majn avatar Sep 13 '15 14:09 majn

Fix is pushed on master

majn avatar Feb 27 '16 17:02 majn

Sorry, its only fixed in telegram-purple, I didn't notice that this issue was on a different repository. :P

majn avatar Feb 27 '16 18:02 majn