Skip to content
This repository has been archived by the owner on Jan 27, 2024. It is now read-only.

libtgl: crash on processing some query errors #431

Closed
ghsrcgh opened this issue Nov 18, 2017 · 5 comments
Closed

libtgl: crash on processing some query errors #431

ghsrcgh opened this issue Nov 18, 2017 · 5 comments
Labels
duplicate win32

Comments

@ghsrcgh
Copy link

ghsrcgh commented Nov 18, 2017
edited
Loading

libtgl: crash on processing some query errors

How it was on practice? I had sent a few messages to a secret chat. After passing one, pidgin is crashed.

Details:

Problem signature:
  Problem Event Name:	APPCRASH
  Application Name:	pidgin.exe
  Application Version:	2.12.0.0
  Application Timestamp:	58c20b6e
  Fault Module Name:	libtelegram.dll
  Fault Module Version:	0.0.0.0
  Fault Module Timestamp:	57c95698
  Exception Code:	c0000005
  Exception Offset:	0002a46d
  OS Version:	6.3.9600.2.0.0.400.8
  Locale ID:	1049
  Additional Information 1:	5861
  Additional Information 2:	5861822e1919d7c014bbb064c64908b2
  Additional Information 3:	5f25
  Additional Information 4:	5f2531ae070278f893fa99352dadd49e

  1. libtelegram.dll have no version info, it is bad. For better debugging it is recommended to add VERSION_INFO structure and use it build to build.

  2. libtelegram.dll size 4'499'627 bytes, md5: 6d91bffa725bb21ef2cc7ed8e76c7dc5
    (to identify)

  3. This is a crash inside that function:

.text:6996A3D7 ; int __cdecl tglq_query_error(tgl_state *TLS, __int64 id)
.text:6996A3D7                 public _tglq_query_error
.text:6996A3D7 _tglq_query_error proc near             ; CODE XREF: _work_rpc_result+98?p
.text:6996A3D7
...
.text:6996A46A                 mov     eax, [ebp+q]
.text:6996A46D                 mov     eax, [eax+24h] ; << (!) crash is here (!) (base: 69940000h + 2a46dh)

It seems, that "q" argument is a null pointer, not a pointer to an object, or if it pointer, than object is damaged, but there is a pointer using without a null-check.

It is required to review tglq_query_error() function regarding this code.

Details:

.text:6996A3D7 ; int __cdecl tglq_query_error(tgl_state *TLS, __int64 id)
.text:6996A3D7                 public _tglq_query_error
.text:6996A3D7 _tglq_query_error proc near             ; CODE XREF: _work_rpc_result+98↑p
.text:6996A3D7
.text:6996A3D7 var_58          = dword ptr -58h
.text:6996A3D7 var_54          = dword ptr -54h
.text:6996A3D7 id              = qword ptr -50h
.text:6996A3D7 DC              = dword ptr -40h
.text:6996A3D7 q               = dword ptr -3Ch
.text:6996A3D7 error           = dword ptr -38h
.text:6996A3D7 error_len       = dword ptr -34h
.text:6996A3D7 error_code      = dword ptr -30h
.text:6996A3D7 wait            = dword ptr -2Ch
.text:6996A3D7 i               = dword ptr -28h
.text:6996A3D7 offset          = dword ptr -24h
.text:6996A3D7 error_handled   = dword ptr -20h
.text:6996A3D7 res             = dword ptr -1Ch
.text:6996A3D7 TLS             = dword ptr  8
.text:6996A3D7 arg_4           = dword ptr  0Ch
.text:6996A3D7 arg_8           = dword ptr  10h
.text:6996A3D7
.text:6996A3D7                 push    ebp
.text:6996A3D8                 mov     ebp, esp
.text:6996A3DA                 push    edi
.text:6996A3DB                 push    esi
.text:6996A3DC                 push    ebx
.text:6996A3DD                 sub     esp, 6Ch        ; Integer Subtraction
.text:6996A3E0                 mov     eax, [ebp+arg_4]
.text:6996A3E3                 mov     dword ptr [ebp+id], eax
.text:6996A3E6                 mov     eax, [ebp+arg_8]
.text:6996A3E9                 mov     dword ptr [ebp+id+4], eax
.text:6996A3EC                 call    _fetch_int_1    ; Call Procedure
.text:6996A3EC
.text:6996A3F1                 cmp     eax, 2144CA19h  ; Compare Two Operands
.text:6996A3F6                 jz      short loc_6996A416 ; Jump if Zero (ZF=1)
.text:6996A3F6
.text:6996A3F8                 mov     dword ptr [esp+8], 137h ; _Line
.text:6996A400                 mov     dword ptr [esp+4], offset aQueriesC ; "queries.c"
.text:6996A408                 mov     dword ptr [esp], offset aFetchIntCodeRpcError ; "fetch_int () == CODE_rpc_error"
.text:6996A40F                 call    __assert        ; Call Procedure
.text:6996A40F
.text:6996A414 ; ---------------------------------------------------------------------------
.text:6996A414                 jmp     short loc_6996A417 ; Jump
.text:6996A414
.text:6996A416 ; ---------------------------------------------------------------------------
.text:6996A416
.text:6996A416 loc_6996A416:                           ; CODE XREF: _tglq_query_error+1F↑j
.text:6996A416                 nop                     ; No Operation
.text:6996A416
.text:6996A417
.text:6996A417 loc_6996A417:                           ; CODE XREF: _tglq_query_error+3D↑j
.text:6996A417                 call    _fetch_int_1    ; Call Procedure
.text:6996A417
.text:6996A41C                 mov     [ebp+error_code], eax
.text:6996A41F                 call    _prefetch_strlen_0 ; Call Procedure
.text:6996A41F
.text:6996A424                 mov     [ebp+error_len], eax
.text:6996A427                 mov     eax, [ebp+error_len]
.text:6996A42A                 mov     [esp], eax      ; len
.text:6996A42D                 call    _fetch_str_0    ; Call Procedure
.text:6996A42D
.text:6996A432                 mov     [ebp+error], eax
.text:6996A435                 mov     eax, dword ptr [ebp+id]
.text:6996A438                 mov     edx, dword ptr [ebp+id+4]
.text:6996A43B                 mov     [esp+4], eax    ; id
.text:6996A43F                 mov     [esp+8], edx
.text:6996A443                 mov     eax, [ebp+TLS]
.text:6996A446                 mov     [esp], eax      ; TLS
.text:6996A449                 call    _tglq_query_get ; Call Procedure
.text:6996A449
.text:6996A44E                 mov     [ebp+q], eax
.text:6996A451                 cmp     [ebp+q], 0      ; Compare Two Operands
.text:6996A455                 jnz     short loc_6996A4C8 ; Jump if Not Zero (ZF=0)
.text:6996A455
.text:6996A457                 mov     eax, [ebp+TLS]
.text:6996A45A                 mov     eax, [eax+38h]
.text:6996A45D                 test    eax, eax        ; Logical Compare
.text:6996A45F                 jle     short loc_6996A4A3 ; Jump if Less or Equal (ZF=1 | SF!=OF)
.text:6996A45F
.text:6996A461                 mov     eax, [ebp+TLS]
.text:6996A464                 mov     ecx, [eax+230h]
.text:6996A46A                 mov     eax, [ebp+q]
.text:6996A46D                 mov     eax, [eax+24h] ; << (!) crash is here (!) (base: 69940000h + 2a46dh)
.text:6996A470                 mov     ebx, [eax+10h]
.text:6996A473                 mov     eax, [ebp+error]
.text:6996A476                 mov     [esp+18h], eax
.text:6996A47A                 mov     eax, [ebp+error_len]
.text:6996A47D                 mov     [esp+14h], eax
.text:6996A481                 mov     eax, [ebp+error_code]
.text:6996A484                 mov     [esp+10h], eax
.text:6996A488                 mov     eax, dword ptr [ebp+id]
.text:6996A48B                 mov     edx, dword ptr [ebp+id+4]
.text:6996A48E                 mov     [esp+8], eax
.text:6996A492                 mov     [esp+0Ch], edx
.text:6996A496                 mov     [esp+4], ebx
.text:6996A49A                 mov     dword ptr [esp], offset aErrorForQuerySI64dDS ; "error for query '%s' #%I64d: #%d :%.*s"...
.text:6996A4A1                 call    ecx             ; Indirect Call Near Procedure
.text:6996A4A1
.text:6996A4A3
.text:6996A4A3 loc_6996A4A3:                           ; CODE XREF: _tglq_query_error+88↑j
.text:6996A4A3                 mov     eax, [ebp+TLS]
.text:6996A4A6                 mov     eax, [eax+38h]
.text:6996A4A9                 test    eax, eax        ; Logical Compare
.text:6996A4AB                 jle     loc_6996A980    ; Jump if Less or Equal (ZF=1 | SF!=OF)
...
@EionRobb
Copy link
Contributor

EionRobb commented Nov 18, 2017
edited
Loading

Can you follow https://developer.pidgin.im/wiki/TipsForBugReports#WhattodoifPidgincrashes to get the Pidgin.rpt and attach to this issue?

Edit: And also the plugin version information from Help->Plugin Information (from the buddy list)

@ghsrcgh
Copy link
Author

ghsrcgh commented Nov 19, 2017

I think that nothing of this is required. Because I wrote why this error appears and where. It is required to fix the tglq_query_error() function for checking params().

Here is my plugins list:

Plugin Information
Autoaccept
	Author: Sadrul H Chowdhury <[email protected]>
	Version: 2.12.0
	Website: http://pidgin.im/
	ID String: core-plugin_pack-autoaccept
	Loadable: Yes
	Loaded: No

Buddy Notes
	Author: Stu Tomlinson <[email protected]>
	Version: 2.12.0
	Website: http://pidgin.im/
	ID String: core-plugin_pack-buddynote
	Loadable: Yes
	Loaded: No

Conversation Colors
	Author: Sadrul H Chowdhury <[email protected]>
	Version: 2.12.0
	Website: http://pidgin.im/
	ID String: gtk-plugin_pack-convcolors
	Loadable: Yes
	Loaded: No

ExtPlacement
	Author: Stu Tomlinson <[email protected]>
	Version: 2.12.0
	Website: http://pidgin.im/
	ID String: gtk-extplacement
	Loadable: Yes
	Loaded: No

Buddy Notes
	Author: Etan Reisner <[email protected]>
	Version: 2.12.0
	Website: http://pidgin.im/
	ID String: gtkbuddynote
	Loadable: Yes
	Loaded: No

History
	Author: Sean Egan <[email protected]>
	Version: 2.12.0
	Website: http://pidgin.im/
	ID String: gtk-history
	Loadable: Yes
	Loaded: No

Iconify on Away
	Author: Eric Warmenhoven <[email protected]>
	Version: 2.12.0
	Website: http://pidgin.im/
	ID String: gtk-iconaway
	Loadable: Yes
	Loaded: No

I'dle Mak'er
	Author: Eric Warmenhoven <[email protected]>
	Version: 2.12.0
	Website: http://pidgin.im/
	ID String: core-idle
	Loadable: Yes
	Loaded: No

Join/Part Hiding
	Author: Richard Laager <[email protected]>
	Version: 2.12.0
	Website: http://pidgin.im/
	ID String: core-rlaager-joinpart
	Loadable: Yes
	Loaded: No

AIM
	Author: (null)
	Version: 2.12.0
	Website: http://pidgin.im/
	ID String: prpl-aim
	Loadable: Yes
	Loaded: Yes

Bonjour
	Author: (null)
	Version: 2.12.0
	Website: http://pidgin.im/
	ID String: prpl-bonjour
	Loadable: Yes
	Loaded: Yes

Gadu-Gadu
	Author: [email protected]
	Version: 2.12.0
	Website: http://pidgin.im/
	ID String: prpl-gg
	Loadable: Yes
	Loaded: Yes

ICQ
	Author: (null)
	Version: 2.12.0
	Website: http://pidgin.im/
	ID String: prpl-icq
	Loadable: Yes
	Loaded: Yes

IRC
	Author: (null)
	Version: 2.12.0
	Website: http://pidgin.im/
	ID String: prpl-irc
	Loadable: Yes
	Loaded: Yes

GroupWise
	Author: (null)
	Version: 2.12.0
	Website: http://pidgin.im/
	ID String: prpl-novell
	Loadable: Yes
	Loaded: Yes

Sametime
	Author: Christopher (siege) O'Brien <[email protected]>
	Version: 2.12.0
	Website: http://meanwhile.sourceforge.net/
	ID String: prpl-meanwhile
	Loadable: Yes
	Loaded: Yes

SILC
	Author: Pekka Riikonen
	Version: 1.1
	Website: http://silcnet.org/
	ID String: prpl-silc
	Loadable: Yes
	Loaded: Yes

SIMPLE
	Author: Thomas Butter <[email protected]>
	Version: 2.12.0
	Website: http://pidgin.im/
	ID String: prpl-simple
	Loadable: Yes
	Loaded: Yes

Telegram
	Author: Matthias Jentsch <[email protected]>
			Vitaly Valtman
			Ben Wiederhake
			Christopher Althaus <[email protected]>
	Version: 1.3.0
			commit: 0340e4f14b
			libtgl: 2.1.0
	Website: https://github.com/majn/telegram-purple
	ID String: prpl-telegram
	Loadable: Yes
	Loaded: Yes

XMPP
	Author: (null)
	Version: 2.12.0
	Website: http://pidgin.im/
	ID String: prpl-jabber
	Loadable: Yes
	Loaded: Yes

Log Reader
	Author: Richard Laager <[email protected]>
	Version: 2.12.0
	Website: http://pidgin.im/
	ID String: core-log_reader
	Loadable: Yes
	Loaded: No

Markerline
	Author: Sadrul H Chowdhury <[email protected]>
	Version: 2.12.0
	Website: http://pidgin.im/
	ID String: gtk-plugin_pack-markerline
	Loadable: Yes
	Loaded: No

New Line
	Author: Stu Tomlinson <[email protected]>
	Version: 2.12.0
	Website: http://pidgin.im/
	ID String: core-plugin_pack-newline
	Loadable: Yes
	Loaded: No

Message Notification
	Author: Etan Reisner <[email protected]>,
Brian Tarricone <[email protected]>
	Version: 2.12.0
	Website: http://pidgin.im/
	ID String: gtk-x11-notify
	Loadable: Yes
	Loaded: No

NSS Preferences
	Author: Daniel Atallah <[email protected]>
	Version: 2.12.0
	Website: http://pidgin.im/
	ID String: core-nss_prefs
	Loadable: Yes
	Loaded: No

Offline Message Emulation
	Author: Sadrul H Chowdhury <[email protected]>
	Version: 2.12.0
	Website: http://pidgin.im/
	ID String: core-plugin_pack-offlinemsg
	Loadable: Yes
	Loaded: No

Pidgin GTK+ Theme Control
	Author: Etan Reisner <[email protected]>
	Version: 2.12.0
	Website: http://pidgin.im/
	ID String: purplerc
	Loadable: Yes
	Loaded: No

Psychic Mode
	Author: Christopher O'Brien <[email protected]>
	Version: 2.12.0
	Website: http://pidgin.im/
	ID String: core-psychic
	Loadable: Yes
	Loaded: No

Release Notification
	Author: Nathan Walp <[email protected]>
	Version: 2.12.0
	Website: http://pidgin.im/
	ID String: gtk-relnot
	Loadable: Yes
	Loaded: No

Send Button
	Author: Etan Reisner <[email protected]>
	Version: 2.12.0
	Website: http://pidgin.im/
	ID String: gtksendbutton
	Loadable: Yes
	Loaded: No

Text replacement
	Author: Eric Warmenhoven <[email protected]>
	Version: 2.12.0
	Website: http://pidgin.im/
	ID String: gtk-spellcheck
	Loadable: Yes
	Loaded: No

NSS
	Author: Christian Hammond <[email protected]>
	Version: 2.12.0
	Website: http://pidgin.im/
	ID String: ssl-nss
	Loadable: Yes
	Loaded: Yes

SSL
	Author: Christian Hammond <[email protected]>
	Version: 2.12.0
	Website: http://pidgin.im/
	ID String: core-ssl
	Loadable: Yes
	Loaded: Yes

Buddy State Notification
	Author: Christian Hammond <[email protected]>
	Version: 2.12.0
	Website: http://pidgin.im/
	ID String: core-statenotify
	Loadable: Yes
	Loaded: No

Pidgin Theme Editor
	Author: Sadrul Habib Chowdhury <[email protected]>
	Version: 2.12.0
	Website: http://pidgin.im/
	ID String: gtk-theme-editor
	Loadable: Yes
	Loaded: No

Buddy Ticker
	Author: Syd Logan
	Version: 2.12.0
	Website: http://pidgin.im/
	ID String: gtk-ticker
	Loadable: Yes
	Loaded: No

Timestamp
	Author: Sean Egan <[email protected]>
	Version: 2.12.0
	Website: http://pidgin.im/
	ID String: gtk-timestamp
	Loadable: Yes
	Loaded: No

Message Timestamp Formats
	Author: Richard Laager <[email protected]>
	Version: 2.12.0
	Website: http://pidgin.im/
	ID String: core-timestamp_format
	Loadable: Yes
	Loaded: No

Transparency
	Author: Herman Bloggs <[email protected]>
	Version: 2.12.0
	Website: http://pidgin.im/
	ID String: gtk-win-trans
	Loadable: Yes
	Loaded: No

Windows Pidgin Options
	Author: Herman Bloggs <[email protected]>
	Version: 2.12.0
	Website: http://pidgin.im/
	ID String: gtk-win-prefs
	Loadable: Yes
	Loaded: No

XMPP Console
	Author: Sean Egan <[email protected]>
	Version: 2.12.0
	Website: http://pidgin.im/
	ID String: gtk-xmpp
	Loadable: Yes
	Loaded: No

XMPP Service Discovery
	Author: Paul Aurich <[email protected]>
	Version: 2.12.0
	Website: http://pidgin.im/
	ID String: gtk-xmppdisco
	Loadable: Yes
	Loaded: No

@ghsrcgh
Copy link
Author

ghsrcgh commented Nov 19, 2017

Here is a content of pidgin.rpt, I think it will say to you smaller than I had said :)

-------------------

Error occured on Saturday, November 18, 2017 at 17:09:28.

Windows Version 6.2 Build 9200 

X:\Pidgin\pidgin.exe caused an Access Violation at location 026ea46d in module X:\Pidgin\plugins\libtelegram.dll Reading from location 00000024.

Registers:
eax=00000000 ebx=9fa2dc90 ecx=026c2a4a edx=0028eb68 esi=00000000 edi=00000001
eip=026ea46d esp=0028eb80 ebp=0028ebf8 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202

Call stack:
026EA46D X:\Pidgin\plugins\libtelegram.dll  purple_init_plugin
026D6393 X:\Pidgin\plugins\libtelegram.dll  purple_init_plugin
026D6961 X:\Pidgin\plugins\libtelegram.dll  purple_init_plugin
026D74FD X:\Pidgin\plugins\libtelegram.dll  purple_init_plugin
026D77FC X:\Pidgin\plugins\libtelegram.dll  purple_init_plugin
026C2579 X:\Pidgin\plugins\libtelegram.dll
026C26FA X:\Pidgin\plugins\libtelegram.dll
026C1BAB X:\Pidgin\plugins\libtelegram.dll
         X:\Pidgin\pidgin.dll [2.12.0.0]
         Using Debug Symbols from: X:\Pidgin\pidgin-2.12.0-dbgsym\pidgin.dll.dbgsym
6304FA48 X:\Pidgin\pidgin.dll  pidgin_docklet_uninit
         X:\Pidgin\Gtk\bin\libglib-2.0-0.dll [2.28.8.0]
685EB90D X:\Pidgin\Gtk\bin\libglib-2.0-0.dll  g_main_context_dispatch
685EBD9D X:\Pidgin\Gtk\bin\libglib-2.0-0.dll  g_main_loop_run
         X:\Pidgin\Gtk\bin\libgtk-win32-2.0-0.dll [2.16.6.0]
61854260 X:\Pidgin\Gtk\bin\libgtk-win32-2.0-0.dll  gtk_main
         X:\Pidgin\pidgin.dll [2.12.0.0]
         Using Debug Symbols from: X:\Pidgin\pidgin-2.12.0-dbgsym\pidgin.dll.dbgsym
6306B4D1 X:\Pidgin\pidgin.dll  pidgin_main

@ghsrcgh
Copy link
Author

ghsrcgh commented Nov 19, 2017
edited
Loading

I found some strange code here .\tgl-master\queries.c (my comments are started with "//"):

int tglq_query_error (struct tgl_state *TLS, long long id) {
  assert (fetch_int () == CODE_rpc_error);
  int error_code = fetch_int ();
  int error_len = prefetch_strlen ();
  char *error = fetch_str (error_len);

  struct query *q = tglq_query_get (TLS, id);
  // (q == nullptr)?
  if (!q)
  {
      vlogprintf (E_WARNING, "error for query '%s' #%" INT64_PRINTF_MODIFIER "d: #%d :%.*s\n", q->methods->name, id, error_code, error_len, error);
      // q == nullptr and he is trying to dereferencing null pointer?! q->methods ... ?! WTF??!
      vlogprintf (E_WARNING, "No such query\n");
  }
  else
  {

He cannot defererence q->methods here, because q is nullptr!
It is a bug in source.

Created this ticket: vysheng/tgl#134

@ghsrcgh ghsrcgh mentioned this issue Nov 19, 2017
Open
@majn
Copy link
Owner

majn commented Nov 20, 2017

This issue was already fixed in 1.3.1, see majn/tgl@ac2e73b

@majn majn closed this as completed Nov 20, 2017
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
duplicate win32
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@EionRobb @majn @ghsrcgh