# HG changeset patch # User Evan Schoenberg # Date 1168268466 0 # Node ID f08b43af6791fdf07dac4dbe0c260ac6e5579cff # Parent fd1a584dd5be0b672484f977ae869c3810d7c3a4 [gaim-migrate @ 18088] We've seen a crash in which a NULL circbuffer was passed to gaim_circ_buffer_append() from flap_connection_send_byte_stream(). (flap_connection_send_byte_stream() was somehow called after flap_connection_close() - perhaps a result of the rate limiting queuing code?) In any case, circbuffer should use g_return_if_fail() and g_return_val_if_fail() to throw warnings in this condition rather than crashing on a NULL pointer access. Added such checks at the top of the relevant functions. committer: Tailor Script diff -r fd1a584dd5be -r f08b43af6791 libgaim/circbuffer.c --- a/libgaim/circbuffer.c Mon Jan 08 12:51:23 2007 +0000 +++ b/libgaim/circbuffer.c Mon Jan 08 15:01:06 2007 +0000 @@ -34,14 +34,19 @@ } void gaim_circ_buffer_destroy(GaimCircBuffer *buf) { - g_return_if_fail(buf); + g_return_if_fail(buf != NULL); + g_free(buf->buffer); g_free(buf); } static void grow_circ_buffer(GaimCircBuffer *buf, gsize len) { int in_offset = 0, out_offset = 0; - int start_buflen = buf->buflen; + int start_buflen; + + g_return_if_fail(buf != NULL); + + start_buflen = buf->buflen; while ((buf->buflen - buf->bufused) < len) buf->buflen += buf->growsize; @@ -87,6 +92,8 @@ int len_stored; + g_return_if_fail(buf != NULL); + /* Grow the buffer, if necessary */ if ((buf->buflen - buf->bufused) < len) grow_circ_buffer(buf, len); @@ -118,6 +125,8 @@ gsize gaim_circ_buffer_get_max_read(GaimCircBuffer *buf) { int max_read; + g_return_val_if_fail(buf != NULL, 0); + if (buf->bufused == 0) max_read = 0; else if ((buf->outptr - buf->inptr) >= 0) @@ -129,6 +138,7 @@ } gboolean gaim_circ_buffer_mark_read(GaimCircBuffer *buf, gsize len) { + g_return_val_if_fail(buf != NULL, FALSE); g_return_val_if_fail(gaim_circ_buffer_get_max_read(buf) >= len, FALSE); buf->outptr += len;