#109 Crash in FindElementAtPosition

[Alexey Veleshko]

The finishing part of function FindElementAtPosition in tixHList.c is written in a strange way so sometimes it can crash trying to dereference NULL pointer. I reproduced it using tix-8.1.4 package, Tcl & Tk 8.3.5, CentOS. Looking into the CVS, I expect this bug to be in every version of Tix.

The crash (always!) happens when scrolling in the area of a tixHList while a project is loaded into our product. The crash does not happen after the project finished loading. I cannot provide a script to reproduce this problem, can only say that when we load the project, that tixHList is re-filled.

While debugging FindElementAtPostion at the moment of crash I see that all variables in the condition (top <= y && y < top + chPtr->allHeight) are zero. Because of this, chPtr becomes NULL inevitably and the next iteration of "while (1)" begins. Then the code crashes trying to execute chPtr=chPtr->childHead. BTW, the stack at the moment of crash looks like ... Tix_HLYView YScrollByUnits FindElementAtPosition and the Tcl code is "WINDOWNAME yview scroll -5 units".

I fixed it using the provided patch (changed "while (1)" to "while (chPtr!=NULL)" and "return NULL" at the function end.

Overall, this particular piece of code is very strange since clearly "while (1)" cannot do more than one iteration. On the second iteration it should crash if left as is.