Bug#995370: pidgin: segmentation fault on malloc/free

[Mad Horse]

Package: pidgin
Followup-For: Bug #995370

Dear Maintainer,

This bug may be due to another related issue which need to be fixed in
the same
time but not. The way to fix it is attached.

With the old logic prior to
https://keep.imfreedom.org/pidgin/pidgin/rev/f25ce9376564 ,
the bug may not break out, because jbr->thread_id tends to keep NULL,
but after
the
commit above, if jbr->thread_id is not NULL, it would be released along with
jm, causing
a double free when releasing the jbr, so jm->thread_id should be duplicated
from
jbr->thread_id instead of pointed to it.

-- System Information:
Debian Release: bookworm/sid
APT prefers testing
APT policy: (900, 'testing'), (500, 'unstable'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.14.0-1-amd64 (SMP w/2 CPU threads)
Locale: LANG=zh_CN.UTF-8, LC_CTYPE=zh_CN.UTF-8 (charmap=UTF-8), LANGUAGE not
set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages pidgin depends on:
ii libatk1.0-0 2.36.0-2
ii libc6 2.32-4
ii libcairo2 1.16.0-5
ii libdbus-1-3 1.12.20-2
ii libgdk-pixbuf-2.0-0 2.42.6+dfsg-2
ii libglib2.0-0 2.70.0-1+b1
ii libgstreamer-plugins-base1.0-0 1.18.5-1
ii libgstreamer1.0-0 1.18.5-1
ii libgtk2.0-0 2.24.33-2
ii libgtkspell0 2.0.16-1.3
ii libice6 2:1.0.10-1
ii libpango-1.0-0 1.48.10+ds1-1
ii libpurple0 2.14.1-1
ii libsm6 2:1.2.3-1
ii libx11-6 2:1.7.2-2+b1
ii libxss1 1:1.2.3-1
ii perl-base [perlapi-5.32.1] 5.32.1-6
ii pidgin-data 2.14.1-1

Versions of packages pidgin recommends:
ii gstreamer1.0-libav 1.18.5-1
ii gstreamer1.0-plugins-base 1.18.5-1
ii gstreamer1.0-plugins-good 1.18.5-1
ii gstreamer1.0-pulseaudio 1.18.5-1
ii sensible-utils 0.0.17

Versions of packages pidgin suggests:
ii libsqlite3-0 3.36.0-2


--- a/libpurple/protocols/jabber/message.c	2021-06-01 22:34:44.000000000 +0000
+++ b/libpurple/protocols/jabber/message.c	2021-10-02 09:30:02.000000000 +0000
@@ -1180,7 +1180,7 @@ int jabber_message_send_im(PurpleConnect
 
 	if(jbr) {
 		if(jbr->thread_id)
-			jm->thread_id = jbr->thread_id;
+			jm->thread_id = g_strdup(jbr->thread_id);
 
 		if (jbr->chat_states == JABBER_CHAT_STATES_UNSUPPORTED)
 			jm->chat_state = JM_STATE_NONE;