multipart-message nevyn bengtsson's blog

featured articles 🦄, about, archive, tags

Very strange double-free in SUI102::dealloc

In two completely different apps, one Carbon and one Cocoa, at some point, the system seems to want to wander off into some obscure part of the system and initialize the camera system. In the Carbon app, it’s in the standard event polling loop for no apparent reason. In the Cocoa app, it’s when I’m showing an open-file panel, for no apparent reason. I’ll show you snippets of the call trace in the Cocoa app: 
#46 0x00002236 in -[SlideshowView initWithFrame:]
Okay, so that’s expected. 
#45 0x9346ce20 in -[NSSavePanel(NSSavePanelRuntime) runModalForDirectory:file:types:] ()
Yep, that’s what I’m asking for. 
#44 0x93346fab in -[NSApplication runModalForWindow:] ()#39 0x92dd6fe2 in ReceiveNextEventCommon ()
#43 0x933481d4 in -[NSApplication _realDoModalLoop:peek:] ()
#42 0x9327d056 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] ()
#41 0x9327d465 in _DPSNextEvent ()
#40 0x92dd6e39 in BlockUntilNextEventMatchingListInMode ()
Okay, fine, you want to poll for events. That’s okay, I said ‘show it modally’. 
#33 0x92e5eebd in ActivateTSMDocument ()
#29 0x92e612af in InitKeybdMenu ()
#28 0x92ff33da in EstablishSelectedInputMethodsOfClassesIn ()
#27 0x9083db30 in CFArrayApplyFunction ()
#26 0x92ff43f4 in EstablishSelectedInputMethodsOfClass ()
#25 0x908259cb in CFDictionaryApplyFunction ()
#24 0x92ff344e in EstablishSelectedInputMethodsScriptIterator ()
#23 0x9083db30 in CFArrayApplyFunction ()
#22 0x92ff6524 in EstablishSelectedInputMethodsComponentIterator ()
#21 0x92ff1d4d in SetTextServiceSelected ()
#20 0x92ff1ac4 in SetTextServiceSelectedCore ()
#19 0x92e65915 in ConvertToComponentID ()
#18 0x90cbc56e in FindNextComponent ()
#17 0x90cbc5da in FindNextComponentInternal ()
#16 0x90cbc994 in registerSystemComponents ()
#15 0x90cbf971 in processSerialKissers ()
#14 0x90cfddfb in kissComponent ()
#13 0x90cd3389 in CallComponentRegister ()
#12 0x90cce7f8 in CallComponentDispatch ()
#11 0x90cce8cc in CallComponent ()
#10 0x0af38caf in sgpnMainEntry ()
#9  0x90cceb13 in CallComponentFunctionCommon ()
#8  0x0af38d08 in sgpnRegister ()
Yeah okay, you’re doing some magic to populate some UI or something, instantiating some dynamically linked code component. Fine, I can buy that too. I’m sure there’s a lot of that going on behind my back. 
#7  0x0af34fdf in CameraCentral::startupWithNotificationsOnMainThread ()
Or uh… What, what?! CameraCentral? What the hell does the camera have to do with anything? 
#6  0x0af34c6d in CameraCentral::registerCameraDriver ()
#5  0x0aef7d6d in SUI102::~SUI102 ()
#4  0x0aef7c7e in SUI102::dealloc ()
#3  0x90005d0f in free ()
#2  0x9010eb32 in abort ()
Oh *SMOOTH*. Not only are you for some absurd reason loading camera drivers, you happened to load a camera driver that does a *double free* in its destructor (You create a driver and then immediately destroy it, too? Ohhh, cruel.). It must be my birthday.

UPDATE

Apparently, Sonix SN9C201 WebCam.component is utter shite. Don’t install it. Thanks to jonmarimba, mikeash and rudy over at #macdev on freenode for the help :)

Tagged