S3_1 gtk4 heap-use-after-free
freeciv version:
commit cafcd4dc3bb719103e30f80d65ff58c90efdebb9 (HEAD -> S3_1, upstream/S3_1)'''
==522926==ERROR: AddressSanitizer: heap-use-after-free on address 0x606001b82ea0 at pc 0x55b4e8caf048 bp 0x7ffd9391b0c0 sp 0x7ffd9391b0b0 READ of size 8 at 0x606001b82ea0 thread T0 #0 0x55b4e8caf047 in gui_dialog_destroy_handler /home/michael/usr/src/freeciv/client/gui-gtk-4.0/gui_stuff.c:309 #1 0x7fdca46336bf in g_closure_invoke (/usr/lib/libgobject-2.0.so.0+0x146bf) (BuildId: 68d8df890dcc1311df318b77f511832cd7809468) #2 0x7fdca4661a35 (/usr/lib/libgobject-2.0.so.0+0x42a35) (BuildId: 68d8df890dcc1311df318b77f511832cd7809468) #3 0x7fdca4652a41 (/usr/lib/libgobject-2.0.so.0+0x33a41) (BuildId: 68d8df890dcc1311df318b77f511832cd7809468) #4 0x7fdca4652c76 in g_signal_emit_valist (/usr/lib/libgobject-2.0.so.0+0x33c76) (BuildId: 68d8df890dcc1311df318b77f511832cd7809468) #5 0x7fdca4652d33 in g_signal_emit (/usr/lib/libgobject-2.0.so.0+0x33d33) (BuildId: 68d8df890dcc1311df318b77f511832cd7809468) #6 0x7fdca406e458 (/usr/lib/libgtk-4.so.1+0x26e458) (BuildId: 14e58babc8b32d2debb7dedffcabf4b1502e30e2) #7 0x7fdca46417e2 in g_object_unref (/usr/lib/libgobject-2.0.so.0+0x227e2) (BuildId: 68d8df890dcc1311df318b77f511832cd7809468) #8 0x7fdca407b722 (/usr/lib/libgtk-4.so.1+0x27b722) (BuildId: 14e58babc8b32d2debb7dedffcabf4b1502e30e2) #9 0x7fdca4062e70 (/usr/lib/libgtk-4.so.1+0x262e70) (BuildId: 14e58babc8b32d2debb7dedffcabf4b1502e30e2) #10 0x7fdca40655b8 (/usr/lib/libgtk-4.so.1+0x2655b8) (BuildId: 14e58babc8b32d2debb7dedffcabf4b1502e30e2) #11 0x7fdca4077573 (/usr/lib/libgtk-4.so.1+0x277573) (BuildId: 14e58babc8b32d2debb7dedffcabf4b1502e30e2) #12 0x7fdca4077573 (/usr/lib/libgtk-4.so.1+0x277573) (BuildId: 14e58babc8b32d2debb7dedffcabf4b1502e30e2) #13 0x7fdca4077573 (/usr/lib/libgtk-4.so.1+0x277573) (BuildId: 14e58babc8b32d2debb7dedffcabf4b1502e30e2) #14 0x7fdca3fa6d6c (/usr/lib/libgtk-4.so.1+0x1a6d6c) (BuildId: 14e58babc8b32d2debb7dedffcabf4b1502e30e2) #15 0x7fdca46336bf in g_closure_invoke (/usr/lib/libgobject-2.0.so.0+0x146bf) (BuildId: 68d8df890dcc1311df318b77f511832cd7809468) #16 0x7fdca46620e9 (/usr/lib/libgobject-2.0.so.0+0x430e9) (BuildId: 68d8df890dcc1311df318b77f511832cd7809468) #17 0x7fdca4652a41 (/usr/lib/libgobject-2.0.so.0+0x33a41) (BuildId: 68d8df890dcc1311df318b77f511832cd7809468) #18 0x7fdca4652c76 in g_signal_emit_valist (/usr/lib/libgobject-2.0.so.0+0x33c76) (BuildId: 68d8df890dcc1311df318b77f511832cd7809468) #19 0x7fdca4652d33 in g_signal_emit (/usr/lib/libgobject-2.0.so.0+0x33d33) (BuildId: 68d8df890dcc1311df318b77f511832cd7809468) #20 0x7fdca3fa38c3 (/usr/lib/libgtk-4.so.1+0x1a38c3) (BuildId: 14e58babc8b32d2debb7dedffcabf4b1502e30e2) #21 0x55b4e8cafad4 in gui_dialog_destroy /home/michael/usr/src/freeciv/client/gui-gtk-4.0/gui_stuff.c:883 #22 0x55b4e8c71a3d in diplomacy_main_destroy /home/michael/usr/src/freeciv/client/gui-gtk-4.0/diplodlg.c:632 #23 0x55b4e8c71a3d in diplomacy_destroy /home/michael/usr/src/freeciv/client/gui-gtk-4.0/diplodlg.c:690 #24 0x55b4e8c7665d in close_diplomacy_dialog /home/michael/usr/src/freeciv/client/gui-gtk-4.0/diplodlg.c:1232 #25 0x55b4e8c7665d in handle_diplomacy_cancel_meeting /home/michael/usr/src/freeciv/client/gui-gtk-4.0/diplodlg.c:168 #26 0x55b4e8b7e0b9 in client_handle_packet /home/michael/usr/src/freeciv/client/packhand_gen.c:242 #27 0x55b4e8a79ab6 in client_packet_input /home/michael/usr/src/freeciv/client/client_main.c:792 #28 0x55b4e8a90c40 in input_from_server /home/michael/usr/src/freeciv/client/clinet.c:420 #29 0x55b4e8a6d6d5 in get_net_input /home/michael/usr/src/freeciv/client/gui-gtk-4.0/gui_main.c:2210 #30 0x7fdca3b34f18 (/usr/lib/libglib-2.0.so.0+0x59f18) (BuildId: 83fcea20d7e17c3e243c56bbfa4d3743106f38f8) #31 0x7fdca3b932b6 (/usr/lib/libglib-2.0.so.0+0xb82b6) (BuildId: 83fcea20d7e17c3e243c56bbfa4d3743106f38f8) #32 0x7fdca3b33111 in g_main_context_iteration (/usr/lib/libglib-2.0.so.0+0x58111) (BuildId: 83fcea20d7e17c3e243c56bbfa4d3743106f38f8) #33 0x7fdca3d06af5 in g_application_run (/usr/lib/libgio-2.0.so.0+0xdfaf5) (BuildId: c1d76a967ca95a1486c789b33f8338587ff9e394) #34 0x55b4e8a70431 in ui_main /home/michael/usr/src/freeciv/client/gui-gtk-4.0/gui_main.c:1860 #35 0x55b4e8a7cb64 in client_main /home/michael/usr/src/freeciv/client/client_main.c:703 #36 0x55b4e8a6feb9 in main /home/michael/usr/src/freeciv/client/gui-gtk-4.0/gui_main.c:1672 #37 0x7fdca3245ccf (/usr/lib/libc.so.6+0x27ccf) (BuildId: 8bfe03f6bf9b6a6e2591babd0bbc266837d8f658) #38 0x7fdca3245d89 in __libc_start_main (/usr/lib/libc.so.6+0x27d89) (BuildId: 8bfe03f6bf9b6a6e2591babd0bbc266837d8f658) #39 0x55b4e8a6d044 in _start (/home/michael/opt/freeciv-3.1-20231005/bin/freeciv-gtk4+0xa21044) (BuildId: ec3779dfe108f334e64fc47a65ec56f688d0c1f2) 0x606001b82ea0 is located 32 bytes inside of 64-byte region [0x606001b82e80,0x606001b82ec0) freed by thread T0 here: #0 0x7fdca72dfdb2 in __interceptor_free /usr/src/debug/gcc/gcc/libsanitizer/asan/asan_malloc_linux.cpp:52 #1 0x55b4e8c7188d in diplomacy_destroy /home/michael/usr/src/freeciv/client/gui-gtk-4.0/diplodlg.c:676 previously allocated by thread T0 here: #0 0x7fdca72e1359 in __interceptor_malloc /usr/src/debug/gcc/gcc/libsanitizer/asan/asan_malloc_linux.cpp:69 #1 0x55b4e9166ca0 in fc_real_malloc /home/michael/usr/src/freeciv/utility/mem.c:89
All gtk-clients in all branches affected - attached patch for S2_6 too.
freeciv version:
==522926==ERROR: AddressSanitizer: heap-use-after-free on address 0x606001b82ea0 at pc 0x55b4e8caf048 bp 0x7ffd9391b0c0 sp 0x7ffd9391b0b0 READ of size 8 at 0x606001b82ea0 thread T0 #0 0x55b4e8caf047 in gui_dialog_destroy_handler /home/michael/usr/src/freeciv/client/gui-gtk-4.0/gui_stuff.c:309 #1 0x7fdca46336bf in g_closure_invoke (/usr/lib/libgobject-2.0.so.0+0x146bf) (BuildId: 68d8df890dcc1311df318b77f511832cd7809468) #2 0x7fdca4661a35 (/usr/lib/libgobject-2.0.so.0+0x42a35) (BuildId: 68d8df890dcc1311df318b77f511832cd7809468) #3 0x7fdca4652a41 (/usr/lib/libgobject-2.0.so.0+0x33a41) (BuildId: 68d8df890dcc1311df318b77f511832cd7809468) #4 0x7fdca4652c76 in g_signal_emit_valist (/usr/lib/libgobject-2.0.so.0+0x33c76) (BuildId: 68d8df890dcc1311df318b77f511832cd7809468) #5 0x7fdca4652d33 in g_signal_emit (/usr/lib/libgobject-2.0.so.0+0x33d33) (BuildId: 68d8df890dcc1311df318b77f511832cd7809468) #6 0x7fdca406e458 (/usr/lib/libgtk-4.so.1+0x26e458) (BuildId: 14e58babc8b32d2debb7dedffcabf4b1502e30e2) #7 0x7fdca46417e2 in g_object_unref (/usr/lib/libgobject-2.0.so.0+0x227e2) (BuildId: 68d8df890dcc1311df318b77f511832cd7809468) #8 0x7fdca407b722 (/usr/lib/libgtk-4.so.1+0x27b722) (BuildId: 14e58babc8b32d2debb7dedffcabf4b1502e30e2) #9 0x7fdca4062e70 (/usr/lib/libgtk-4.so.1+0x262e70) (BuildId: 14e58babc8b32d2debb7dedffcabf4b1502e30e2) #10 0x7fdca40655b8 (/usr/lib/libgtk-4.so.1+0x2655b8) (BuildId: 14e58babc8b32d2debb7dedffcabf4b1502e30e2) #11 0x7fdca4077573 (/usr/lib/libgtk-4.so.1+0x277573) (BuildId: 14e58babc8b32d2debb7dedffcabf4b1502e30e2) #12 0x7fdca4077573 (/usr/lib/libgtk-4.so.1+0x277573) (BuildId: 14e58babc8b32d2debb7dedffcabf4b1502e30e2) #13 0x7fdca4077573 (/usr/lib/libgtk-4.so.1+0x277573) (BuildId: 14e58babc8b32d2debb7dedffcabf4b1502e30e2) #14 0x7fdca3fa6d6c (/usr/lib/libgtk-4.so.1+0x1a6d6c) (BuildId: 14e58babc8b32d2debb7dedffcabf4b1502e30e2) #15 0x7fdca46336bf in g_closure_invoke (/usr/lib/libgobject-2.0.so.0+0x146bf) (BuildId: 68d8df890dcc1311df318b77f511832cd7809468) #16 0x7fdca46620e9 (/usr/lib/libgobject-2.0.so.0+0x430e9) (BuildId: 68d8df890dcc1311df318b77f511832cd7809468) #17 0x7fdca4652a41 (/usr/lib/libgobject-2.0.so.0+0x33a41) (BuildId: 68d8df890dcc1311df318b77f511832cd7809468) #18 0x7fdca4652c76 in g_signal_emit_valist (/usr/lib/libgobject-2.0.so.0+0x33c76) (BuildId: 68d8df890dcc1311df318b77f511832cd7809468) #19 0x7fdca4652d33 in g_signal_emit (/usr/lib/libgobject-2.0.so.0+0x33d33) (BuildId: 68d8df890dcc1311df318b77f511832cd7809468) #20 0x7fdca3fa38c3 (/usr/lib/libgtk-4.so.1+0x1a38c3) (BuildId: 14e58babc8b32d2debb7dedffcabf4b1502e30e2) #21 0x55b4e8cafad4 in gui_dialog_destroy /home/michael/usr/src/freeciv/client/gui-gtk-4.0/gui_stuff.c:883 #22 0x55b4e8c71a3d in diplomacy_main_destroy /home/michael/usr/src/freeciv/client/gui-gtk-4.0/diplodlg.c:632 #23 0x55b4e8c71a3d in diplomacy_destroy /home/michael/usr/src/freeciv/client/gui-gtk-4.0/diplodlg.c:690 #24 0x55b4e8c7665d in close_diplomacy_dialog /home/michael/usr/src/freeciv/client/gui-gtk-4.0/diplodlg.c:1232 #25 0x55b4e8c7665d in handle_diplomacy_cancel_meeting /home/michael/usr/src/freeciv/client/gui-gtk-4.0/diplodlg.c:168 #26 0x55b4e8b7e0b9 in client_handle_packet /home/michael/usr/src/freeciv/client/packhand_gen.c:242 #27 0x55b4e8a79ab6 in client_packet_input /home/michael/usr/src/freeciv/client/client_main.c:792 #28 0x55b4e8a90c40 in input_from_server /home/michael/usr/src/freeciv/client/clinet.c:420 #29 0x55b4e8a6d6d5 in get_net_input /home/michael/usr/src/freeciv/client/gui-gtk-4.0/gui_main.c:2210 #30 0x7fdca3b34f18 (/usr/lib/libglib-2.0.so.0+0x59f18) (BuildId: 83fcea20d7e17c3e243c56bbfa4d3743106f38f8) #31 0x7fdca3b932b6 (/usr/lib/libglib-2.0.so.0+0xb82b6) (BuildId: 83fcea20d7e17c3e243c56bbfa4d3743106f38f8) #32 0x7fdca3b33111 in g_main_context_iteration (/usr/lib/libglib-2.0.so.0+0x58111) (BuildId: 83fcea20d7e17c3e243c56bbfa4d3743106f38f8) #33 0x7fdca3d06af5 in g_application_run (/usr/lib/libgio-2.0.so.0+0xdfaf5) (BuildId: c1d76a967ca95a1486c789b33f8338587ff9e394) #34 0x55b4e8a70431 in ui_main /home/michael/usr/src/freeciv/client/gui-gtk-4.0/gui_main.c:1860 #35 0x55b4e8a7cb64 in client_main /home/michael/usr/src/freeciv/client/client_main.c:703 #36 0x55b4e8a6feb9 in main /home/michael/usr/src/freeciv/client/gui-gtk-4.0/gui_main.c:1672 #37 0x7fdca3245ccf (/usr/lib/libc.so.6+0x27ccf) (BuildId: 8bfe03f6bf9b6a6e2591babd0bbc266837d8f658) #38 0x7fdca3245d89 in __libc_start_main (/usr/lib/libc.so.6+0x27d89) (BuildId: 8bfe03f6bf9b6a6e2591babd0bbc266837d8f658) #39 0x55b4e8a6d044 in _start (/home/michael/opt/freeciv-3.1-20231005/bin/freeciv-gtk4+0xa21044) (BuildId: ec3779dfe108f334e64fc47a65ec56f688d0c1f2) 0x606001b82ea0 is located 32 bytes inside of 64-byte region [0x606001b82e80,0x606001b82ec0) freed by thread T0 here: #0 0x7fdca72dfdb2 in __interceptor_free /usr/src/debug/gcc/gcc/libsanitizer/asan/asan_malloc_linux.cpp:52 #1 0x55b4e8c7188d in diplomacy_destroy /home/michael/usr/src/freeciv/client/gui-gtk-4.0/diplodlg.c:676 previously allocated by thread T0 here: #0 0x7fdca72e1359 in __interceptor_malloc /usr/src/debug/gcc/gcc/libsanitizer/asan/asan_malloc_linux.cpp:69 #1 0x55b4e9166ca0 in fc_real_malloc /home/michael/usr/src/freeciv/utility/mem.c:89