gnome: copying name or number in the history view results in ASAN use after free detection
Issue generated from Tuleap's migration script. Originally submitted by: Stepan Salenikovich (ssalenik)
=================================================================
==13413==ERROR: AddressSanitizer: heap-use-after-free on address 0x606000acd558 at pc 0x7ffff6ed966b bp 0x7fffffffd130 sp 0x7fffffffc8d8
READ of size 18 at 0x606000acd558 thread T0
\#0 0x7ffff6ed966a in \_\_interceptor\_strlen (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x7066a)
\#1 0x7ffff68e3137 in gtk\_clipboard\_set\_text (/usr/lib/x86\_64-linux-gnu/libgtk-3.so.0+0x36a137)
\#2 0x510f07 in copy\_number /home/ssalenikovich/projects/ring-client-gnome/src/historyview.cpp:168
\#3 0x7ffff555e014 in g\_closure\_invoke (/usr/lib/x86\_64-linux-gnu/libgobject-2.0.so.0+0x10014)
\#4 0x7ffff5570060 (/usr/lib/x86\_64-linux-gnu/libgobject-2.0.so.0+0x22060)
\#5 0x7ffff5578dfb in g\_signal\_emit\_valist (/usr/lib/x86\_64-linux-gnu/libgobject-2.0.so.0+0x2adfb)
\#6 0x7ffff557912e in g\_signal\_emit (/usr/lib/x86\_64-linux-gnu/libgobject-2.0.so.0+0x2b12e)
\#7 0x7ffff68bb29d in gtk\_widget\_activate (/usr/lib/x86\_64-linux-gnu/libgtk-3.so.0+0x34229d)
\#8 0x7ffff67a0735 in gtk\_menu\_shell\_activate\_item (/usr/lib/x86\_64-linux-gnu/libgtk-3.so.0+0x227735)
\#9 0x7ffff67a0a63 (/usr/lib/x86\_64-linux-gnu/libgtk-3.so.0+0x227a63)
\#10 0x7ffff6782379 (/usr/lib/x86\_64-linux-gnu/libgtk-3.so.0+0x209379)
\#11 0x7ffff555e243 (/usr/lib/x86\_64-linux-gnu/libgobject-2.0.so.0+0x10243)
\#12 0x7ffff5578557 in g\_signal\_emit\_valist (/usr/lib/x86\_64-linux-gnu/libgobject-2.0.so.0+0x2a557)
\#13 0x7ffff557912e in g\_signal\_emit (/usr/lib/x86\_64-linux-gnu/libgobject-2.0.so.0+0x2b12e)
\#14 0x7ffff68bc283 (/usr/lib/x86\_64-linux-gnu/libgtk-3.so.0+0x343283)
\#15 0x7ffff677f81d (/usr/lib/x86\_64-linux-gnu/libgtk-3.so.0+0x20681d)
\#16 0x7ffff67814cd in gtk\_main\_do\_event (/usr/lib/x86\_64-linux-gnu/libgtk-3.so.0+0x2084cd)
\#17 0x7ffff62fd321 (/usr/lib/x86\_64-linux-gnu/libgdk-3.so.0+0x58321)
\#18 0x7ffff5288ff6 in g\_main\_context\_dispatch (/lib/x86\_64-linux-gnu/libglib-2.0.so.0+0x49ff6)
\#19 0x7ffff528924f (/lib/x86\_64-linux-gnu/libglib-2.0.so.0+0x4a24f)
\#20 0x7ffff52892fb in g\_main\_context\_iteration (/lib/x86\_64-linux-gnu/libglib-2.0.so.0+0x4a2fb)
\#21 0x7ffff584aafb in g\_application\_run (/usr/lib/x86\_64-linux-gnu/libgio-2.0.so.0+0xa9afb)
\#22 0x4bcbf3 in main /home/ssalenikovich/projects/ring-client-gnome/src/main.cpp:34
\#23 0x7ffff2af5a3f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x20a3f)
\#24 0x4bca48 in \_start (/home/ssalenikovich/projects/ring-client-gnome/build/gnome-ring+0x4bca48)
0x606000acd558 is located 24 bytes inside of 64-byte region [0x606000acd540,0x606000acd580)
freed by thread T0 here:
\#0 0x7ffff6f016aa in \_\_interceptor\_free (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x986aa)
\#1 0x510e96 in QTypedArrayData<char>::deallocate(QArrayData\*) /usr/include/x86\_64-linux-gnu/qt5/QtCore/qarraydata.h:222
\#2 0x510e96 in QByteArray::\~QByteArray() /usr/include/x86\_64-linux-gnu/qt5/QtCore/qbytearray.h:431
\#3 0x510e96 in copy\_number /home/ssalenikovich/projects/ring-client-gnome/src/historyview.cpp:167
\#4 0x7ffff555e014 in g\_closure\_invoke (/usr/lib/x86\_64-linux-gnu/libgobject-2.0.so.0+0x10014)
previously allocated by thread T0 here:
\#0 0x7ffff6f01d2a in realloc (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x98d2a)
\#1 0x7ffff37e619a in QByteArray::reallocData(unsigned int, QFlags<QArrayData::AllocationOption>) (/usr/lib/x86\_64-linux-gnu/libQt5Core.so.5+0xa619a)
\#2 0x7ffff527747a (/lib/x86\_64-linux-gnu/libglib-2.0.so.0+0x3847a)
SUMMARY: AddressSanitizer: heap-use-after-free ??:0 \_\_interceptor\_strlen
Shadow bytes around the buggy address:
0x0c0c80151a50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c80151a60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c80151a70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c80151a80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c80151a90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c0c80151aa0: fa fa fa fa fa fa fa fa fd fd fd[fd]fd fd fd fd
0x0c0c80151ab0: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
0x0c0c80151ac0: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00
0x0c0c80151ad0: 00 00 00 00 fa fa fa fa fd fd fd fd fd fd fd fa
0x0c0c80151ae0: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
0x0c0c80151af0: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==13413==ABORTING