> I have a reproducible crash when trying to open the repository browser,
> sparse - checkout selection, revision graph and probably other features.
> - "tortoiseproc /command:repobrowser /path:svn://somewhere"
> - enter your correct credentials
> It seems to only happen for svn:// repositories. (I don't know whether
> it also happens for non-authenticated).
I'm getting the same crash with:
Windows 7 SP1 x64
TortoiseSVN 1.6.99, Build 21919 - 64 Bit -dev, 2011/08/31 21:32:47
Subversion 1.7.0, -dev
OpenSSL 1.0.0d 8 Feb 2011
Child-SP RetAddr Call Site
00000000`0445f448 000007fe`edbbaa27 0x6a
00000000`0445f450 000007fe`f89ab49a libsasl!_sasl_log+0x627
[c:\projects\svn\tortoisesvn\ext\cyrus-sasl\lib\common.c @ 1924]
[c:\projects\svn\tortoisesvn\ext\cyrus-sasl\plugins\digestmd5.c @ 4174]
00000000`0445f560 000007fe`edbb84aa libsasl!client_dispose+0x72
[c:\projects\svn\tortoisesvn\ext\cyrus-sasl\lib\client.c @ 289]
00000000`0445f5a0 000007fe`f0a24e8d libsasl!sasl_dispose+0x5a
[c:\projects\svn\tortoisesvn\ext\cyrus-sasl\lib\common.c @ 848]
libsvn_tsvn!svn_ra_svn__sasl_init+0x4d (note: this is actually
00000000`0445f610 00000000`6c6c3ecf libapr_tsvn!apr_pool_destroy+0x6e
00000000`0445f640 00000000`6c6c3ecf libapr_tsvn!apr_pool_destroy+0x4f
00000000`0445f670 00000001`3fb625ce libapr_tsvn!apr_pool_destroy+0x4f
00000000`0445f6a0 00000001`3fc3ef04 TortoiseProc+0x725ce
00000000`0445f7c0 00000001`3fc96ca5 TortoiseProc+0x14ef04
00000000`0445f830 00000001`3fc97c20 TortoiseProc+0x1a6ca5
00000000`0445f860 00000001`3fc98f4d TortoiseProc+0x1a7c20
00000000`0445f8a0 00000000`6a871bc7 TortoiseProc+0x1a8f4d
00000000`0445f8d0 00000000`6a871c55 MSVCR100!endthread+0x53
00000000`0445f900 00000000`773e652d MSVCR100!endthread+0xe1
00000000`0445f930 00000000`77adc521 kernel32!BaseThreadInitThunk+0xd
00000000`0445f960 00000000`00000000 ntdll!RtlUserThreadStart+0x1d
The crash is coming from libsasl's common.c line 1924, where it's trying
to call through the log_cb function pointer. However, log_cb is 0xfa (or
some other value that's definitely not the address of a function).
log_cb is set by the call to _sasl_getcallback() earlier (line 1788),
and it turns out the problem is that conn->callbacks points to corrupted
memory, and _sasl_getcallback() happens to find the right bytes to make
it think that it's found a log callback function.
Subversion's libsvn_ra_svn\cyrus_auth.c svn_ra_svn__do_cyrus_auth()
(line 732) looks fishy to me, although I certainly haven't looked into
it in detail... The callbacks array, which is passed ot
new_sasl_ctx(), then to libsasl's sasl_client_new(), is a
local/automatic variable, and it goes out of scope and the memory is
available for reuse after the function exits. However, new_sasl_ctx()
adds the sasl_ctx to a pool and registers a cleanup function for it.
When the pool is destroyed, libsasl wants to use that callbacks array
during the cleanup, but that memory's already filled with other stuff.
Shouldn't callbacks be allocated on the heap somehow, rather than on
Received on 2011-09-08 08:15:53 CEST