From brooks@minya.sea.one-eyed-alien.net  Tue Dec  4 11:58:37 2001
Return-Path: <brooks@minya.sea.one-eyed-alien.net>
Received: from minya.sea.one-eyed-alien.net (minya.sea.one-eyed-alien.net [64.81.187.51])
	by hub.freebsd.org (Postfix) with ESMTP id 9998A37B41B
	for <FreeBSD-gnats-submit@freebsd.org>; Tue,  4 Dec 2001 11:58:21 -0800 (PST)
Received: (from brooks@localhost)
	by minya.sea.one-eyed-alien.net (8.11.6/8.11.5) id fB4Jur699011;
	Tue, 4 Dec 2001 11:56:53 -0800 (PST)
	(envelope-from brooks)
Message-Id: <200112041956.fB4Jur699011@minya.sea.one-eyed-alien.net>
Date: Tue, 4 Dec 2001 11:56:53 -0800 (PST)
From: Brooks Davis <brooks@one-eyed-alien.net>
Reply-To: Brooks Davis <brooks@one-eyed-alien.net>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: www/flashplugin-mozilla has malloc bug
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         32508
>Category:       ports
>Synopsis:       www/flashplugin-mozilla has malloc bug
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Dec 04 12:00:01 PST 2001
>Closed-Date:    Sat Feb 28 07:01:17 PST 2004
>Last-Modified:  Sat Feb 28 07:01:17 PST 2004
>Originator:     Brooks Davis
>Release:        FreeBSD 5.0-CURRENT i386
>Organization:
>Environment:
System: FreeBSD minya.sea.one-eyed-alien.net 5.0-CURRENT FreeBSD 5.0-CURRENT #0: Wed Nov 28 17:34:51 PST 2001 root@minya.sea.one-eyed-alien.net:/usr/obj/usr/src/sys/MINYA i386


>Description:

When leaving a page with flash on it mozilla with the
flashplugin-mozilla port installed dumps core.  The issue appears to be
a double free() which is fatal due to -current specifying A as a default
malloc option.

>How-To-Repeat:
	Set the 'A' option to malloc, install flashplugin-mozilla and
	view a page with flash on it.  Closing a window with a flash
	entity on it always generates the error though hitting back
	seems a bit hit or miss.

>Fix:

Unknown.  As a workaround I modified /usr/X11R6/bin/mozilla to:

#!/bin/sh
#
# $FreeBSD: ports/www/mozilla/files/mozilla.sh,v 1.3 2001/07/18 07:44:50 sobomax Exp $

cd /usr/X11R6/lib/mozilla
MALLOC_OPTIONS="aj" exec ./mozilla "$@"

-- Brooks
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-ports->sobomax 
Responsible-Changed-By: pat 
Responsible-Changed-When: Wed Dec 5 15:40:16 PST 2001 
Responsible-Changed-Why:  
Over to sobomax 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=32508 
Responsible-Changed-From-To: sobomax->freebsd-ports 
Responsible-Changed-By: sobomax 
Responsible-Changed-When: Mon Feb 18 00:22:21 PST 2002 
Responsible-Changed-Why:  
I'm not a maintainer of flashplugin-mozilla. 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=32508 

From: Keith <freebsd.dev@blueyonder.co.uk>
To: freebsd-gnats-submit@FreeBSD.org, brooks@one-eyed-alien.net
Cc:  
Subject: Re: ports/32508: [PATCH] www/flashplugin-mozilla has malloc bug
Date: Tue, 31 Dec 2002 15:23:29 +0000

 This is a multi-part message in MIME format.
 --------------060809040606090201050905
 Content-Type: text/plain; charset=us-ascii; format=flowed
 Content-Transfer-Encoding: 7bit
 
 Hi,
 
 I did a bit more investigation of this under -CURRENT, and it appears
 that when the plugin's destructor is called, a bus error occurs when it
 calls XtRemoveEventHandler(). I can only assume this is because Mozilla
 has already blown away the frame to which the widget refers, so it's too
 late to try to remove the event handler.
 
 The simplest workaround is to remove the XtRemoveEventHandler() call, as 
   shown in the attached replacement for patch-plugin.c, on the grounds 
 that the call isn't doing any good anyway. In the longer term, someone 
 with some knowledge of Mozilla and the X toolkit might want to take a 
 closer look at this and figure out what's really going on! ;)
 
 Keith
 
 --------------060809040606090201050905
 Content-Type: text/plain;
  name="patch-plugin.c"
 Content-Transfer-Encoding: 7bit
 Content-Disposition: inline;
  filename="patch-plugin.c"
 
 --- plugin.c.orig	Mon Jun 12 09:24:09 2000
 +++ plugin.c	Tue Dec 31 15:16:31 2002
 @@ -193,12 +193,19 @@
  			XSync(This->dpy,False);
  			XFreePixmap(This->dpy, This->canvas);
  			shmdt(This->segInfo.shmaddr);
 +#ifndef linux
 +			{
 +				struct shmid_ds buf;
 +
 +			if (shmctl(This->segInfo.shmid, IPC_RMID, &buf) < 0) {
 +				perror("shmctl");
 +				}
 +			}
 +#endif
  
  			FlashClose(This->fh);
  			This->fh = 0;
  		}
 -		XtRemoveEventHandler(This->widget, FLASH_XEVENT_MASK,
 -				  True, (XtEventHandler) flashEvent, (XtPointer)This);
  
  		prev = 0;
  		for(l = This->loading; l; prev = l, l = l->next) {
 
 --------------060809040606090201050905--
 

From: Kris Kennaway <kris@obsecurity.org>
To: freebsd-gnats-submit@FreeBSD.org, brooks@one-eyed-alien.net
Cc:  
Subject: Re: ports/32508
Date: Mon, 3 Mar 2003 23:11:56 -0800

 Has anyone taken this up with the developers?  It's not usually the
 job of FreeBSD ports committers to fix bugs in the ported software.
 
 Kris
 
State-Changed-From-To: open->feedback 
State-Changed-By: linimon 
State-Changed-When: Tue Jan 6 09:13:12 PST 2004 
State-Changed-Why:  
Note that I've asked the submitter for feedback, and also copied 
the maintainer (who might never have seen the initial PR). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=32508 

From: Brooks Davis <brooks@one-eyed-alien.net>
To: freebsd-gnats-submit@FreeBSD.org
Cc:  
Subject: Re: ports/32508: www/flashplugin-mozilla has malloc bug
Date: Mon, 26 Jan 2004 15:23:05 -0800

 I'm not seeing a double free error, but it's still crashing when you
 leave a page.  Since linuxpluginwrapper works, I'm not all the
 concerned these days.
 
 -- Brooks
State-Changed-From-To: feedback->closed 
State-Changed-By: pav 
State-Changed-When: Sat Feb 28 07:00:50 PST 2004 
State-Changed-Why:  
Close this ancient PR. Submitter have already moved 
to different software. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=32508 
>Unformatted:
