Bug#649032: NMU for 649032: access to deleted object in slot_rep::notify()

Fri, 02 Dec 2011 16:39:30 -0800 

tags 649032 + patch pending
thanks

Hi Daniel,

as I haven't heard back from you I prepared a NMU which cherry-picks the
fix for the bug which makes the glibmm test suite fail.

The debdiff is attached.

I've uploaded to DELAYED/2. Please let me now if I should delay it
further or if I should cancel it for other reasons.

To keep the NMU minimal, I decided against uploading 2.2.10, so I
retitled this bug report accordingly.

Whould still be nice to have 2.2.10 in the archive, as glibmm 2.30.1
will require that.

Regards,
Michael


-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

diff -Nru libsigc++-2.0-2.2.9/debian/changelog libsigc++-2.0-2.2.9/debian/changelog
--- libsigc++-2.0-2.2.9/debian/changelog	2011-04-06 17:49:24.000000000 +0200
+++ libsigc++-2.0-2.2.9/debian/changelog	2011-12-03 01:11:06.000000000 +0100
@@ -1,3 +1,11 @@
+libsigc++-2.0 (2.2.9-1.1) unstable; urgency=low
+
+  * Non-maintainer upload.
+  * Avoid access to deleted object in slot_rep::notify(). (Closes: #649032)
+    Patch cherry-picked from upstream Git.
+
+ -- Michael Biebl <bi...@debian.org>  Sat, 03 Dec 2011 01:05:26 +0100
+
 libsigc++-2.0 (2.2.9-1) unstable; urgency=low
 
   * New upstream release. (Closes: #578048)
diff -Nru libsigc++-2.0-2.2.9/debian/patches/0002-slot_rep-Avoid-access-to-deleted-object-in-notify.patch libsigc++-2.0-2.2.9/debian/patches/0002-slot_rep-Avoid-access-to-deleted-object-in-notify.patch
--- libsigc++-2.0-2.2.9/debian/patches/0002-slot_rep-Avoid-access-to-deleted-object-in-notify.patch	1970-01-01 01:00:00.000000000 +0100
+++ libsigc++-2.0-2.2.9/debian/patches/0002-slot_rep-Avoid-access-to-deleted-object-in-notify.patch	2011-12-03 01:04:58.000000000 +0100
@@ -0,0 +1,68 @@
+commit ad1bce5b0ad1caeee5c499b3a80d3455e326b63c
+Author: Kjell Ahlstedt <kjell.ahlst...@bredband.net>
+Date:   Thu Jul 14 16:40:16 2011 +0200
+
+    slot_rep: Avoid access to deleted object in notify().
+    
+    * sigc++/functors/slot_base.cc: slot_rep::notify() calls disconnect() before
+    destroy(). If disconnect() has deleted the slot_rep object, destroy() is not
+    called. Bug #564005.
+
+diff --git a/ChangeLog b/ChangeLog
+index dbf622c..56984e3 100644
+--- a/ChangeLog
++++ b/ChangeLog
+@@ -1,3 +1,11 @@
++2011-07-14  Kjell Ahlstedt  <kjell.ahlst...@bredband.net>
++
++	slot_rep: Avoid access to deleted object in notify().
++
++	* sigc++/functors/slot_base.cc: slot_rep::notify() calls disconnect() before
++	destroy(). If disconnect() has deleted the slot_rep object, destroy() is not
++	called. Bug #564005.
++
+ 2.2.9:
+ 
+ 2011-02-22  Kjell Ahlstedt  <kjell.ahlst...@bredband.net>
+diff --git a/sigc++/functors/slot_base.cc b/sigc++/functors/slot_base.cc
+index 896276b..3f1de0b 100644
+--- a/sigc++/functors/slot_base.cc
++++ b/sigc++/functors/slot_base.cc
+@@ -56,12 +56,35 @@ void slot_rep::disconnect()
+ //static
+ void* slot_rep::notify(void* data)
+ {
++  struct destroy_notify_struct
++  {
++    destroy_notify_struct() : deleted_(false) { }
++
++    static void* notify(void* data)
++    {
++      destroy_notify_struct* self_ = reinterpret_cast<destroy_notify_struct*>(data);
++      self_->deleted_ = true;
++      return 0;
++    }
++
++    bool deleted_;
++  };
++
+   slot_rep* self_ = reinterpret_cast<slot_rep*>(data);
+ 
+   self_->call_ = 0; // Invalidate the slot.
+-  self_->destroy(); // Detach the stored functor from the other referred trackables and destroy it.
++  
++  // Make sure we are notified if disconnect() deletes self_, which is trackable.
++  destroy_notify_struct notifier;
++  self_->add_destroy_notify_callback(&notifier, destroy_notify_struct::notify);
+   self_->disconnect(); // Disconnect the slot (might lead to deletion of self_!).
+-
++  // If self_ has been deleted, the destructor has called destroy().
++  if (!notifier.deleted_)
++  {
++    self_->remove_destroy_notify_callback(&notifier);
++    self_->destroy(); // Detach the stored functor from the other referred trackables and destroy it.
++                      // destroy() might lead to deletion of self_. Bug #564005.
++  }
+   return 0;
+ }
+ 
diff -Nru libsigc++-2.0-2.2.9/debian/patches/series libsigc++-2.0-2.2.9/debian/patches/series
--- libsigc++-2.0-2.2.9/debian/patches/series	2011-04-06 16:56:18.000000000 +0200
+++ libsigc++-2.0-2.2.9/debian/patches/series	2011-12-03 01:05:05.000000000 +0100
@@ -1 +1,2 @@
 0001-Comment-out-a-backwards-compatibility-typedef.patch
+0002-slot_rep-Avoid-access-to-deleted-object-in-notify.patch

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to