Menu

#6 gtkterm segfaults on send hexadecimal data

open
nobody
None
5
2006-12-02
2006-12-02
ville
No

This bug is originally reported to ubuntu bug tracking system by Elie De Brauwer:
https://bugs.launchpad.net/distros/ubuntu/+source/gtkterm/+bug/60400

Original Description (fix included):

Launch it menu -> "View" -> "Send hexadecimal data". A new input box appears, click in it and press "enter" without entering data. It segfault ;-)

Program received signal SIGSEGV, Segmentation fault.
0x080545f4 in ?? ()
(gdb) bt
#0 0x080545f4 in ?? ()
#1 0x00000000 in ?? ()

When I apt-get source it and compile it:
Program received signal SIGSEGV, Segmentation fault.
Send_Hexadecimal (widget=0x80a04a8, event=0x0, pointer=0xb77085d1)
at widgets.c:613
613 all_written[0] = 0;
(gdb) bt
#0 Send_Hexadecimal (widget=0x80a04a8, event=0x0, pointer=0xb77085d1)
at widgets.c:613
#1 0xb7a2c423 in g_cclosure_marshal_VOID__VOID ()
from /usr/lib/libgobject-2.0.so.0
#2 0xb7a2079f in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0
#3 0xb7a2f2ea in g_signal_stop_emission () from /usr/lib/libgobject-2.0.so.0
#4 0xb7a30268 in g_signal_emitv () from /usr/lib/libgobject-2.0.so.0
#5 0xb7d4414c in gtk_bin_get_child () from /usr/lib/libgtk-x11-2.0.so.0
#6 0xb7d45047 in gtk_binding_set_by_class () from /usr/lib/libgtk-x11-2.0.so.0
#7 0xb7d452b7 in gtk_binding_set_by_class () from /usr/lib/libgtk-x11-2.0.so.0
#8 0xb7d454a7 in gtk_bindings_activate_event ()
from /usr/lib/libgtk-x11-2.0.so.0
#9 0xb7eebc11 in gtk_widget_activate () from /usr/lib/libgtk-x11-2.0.so.0
#10 0xb7d9f495 in gtk_entry_set_visibility () from /usr/lib/libgtk-x11-2.0.so.0
#11 0xb7e098e0 in _gtk_marshal_BOOLEAN__BOXED ()
from /usr/lib/libgtk-x11-2.0.so.0
#12 0xb7a2016f in g_cclosure_new_swap () from /usr/lib/libgobject-2.0.so.0
#13 0xb7a2079f in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0
#14 0xb7a2f9ce in g_signal_stop_emission () from /usr/lib/libgobject-2.0.so.0
#15 0xb7a30886 in g_signal_emit_valist () from /usr/lib/libgobject-2.0.so.0
#16 0xb7a30e89 in g_signal_emit () from /usr/lib/libgobject-2.0.so.0
#17 0xb7eebdcf in gtk_widget_activate () from /usr/lib/libgtk-x11-2.0.so.0
#18 0xb7efb46d in gtk_window_propagate_key_event ()
#19 0xb7eff731 in gtk_window_activate_key () from /usr/lib/libgtk-x11-2.0.so.0
#20 0xb7e098e0 in _gtk_marshal_BOOLEAN__BOXED ()
from /usr/lib/libgtk-x11-2.0.so.0
#21 0xb7a2016f in g_cclosure_new_swap () from /usr/lib/libgobject-2.0.so.0
#22 0xb7a2079f in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0
#23 0xb7a2f9ce in g_signal_stop_emission () from /usr/lib/libgobject-2.0.so.0
#24 0xb7a30886 in g_signal_emit_valist () from /usr/lib/libgobject-2.0.so.0
#25 0xb7a30e89 in g_signal_emit () from /usr/lib/libgobject-2.0.so.0
#26 0xb7eebdcf in gtk_widget_activate () from /usr/lib/libgtk-x11-2.0.so.0
#27 0xb7e08169 in gtk_propagate_event () from /usr/lib/libgtk-x11-2.0.so.0
#28 0xb7e0846b in gtk_main_do_event () from /usr/lib/libgtk-x11-2.0.so.0
#29 0xb7cabdec in _gdk_events_queue () from /usr/lib/libgdk-x11-2.0.so.0
#30 0xb79af8d6 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#31 0xb79b2996 in g_main_context_check () from /usr/lib/libglib-2.0.so.0
#32 0xb79b2cb8 in g_main_loop_run () from /usr/lib/libglib-2.0.so.0
#33 0xb7e07765 in gtk_main () from /usr/lib/libgtk-x11-2.0.so.0
#34 0x08052a77 in main (argc=1, argv=0xbfae46f4) at gtkterm.c:68

Which is the following line:

all_written = g_malloc(strlen(text) * 2);
all_written[0] = 0;

Since I entered no text strlen(text)*2 equals zero. When you insert:

if(strlen(text) ==0){
message = g_strdup_printf(_("0 byte(s) sent !"));
Put_temp_message(message, 1500);
gtk_entry_set_text(GTK_ENTRY(widget), "");
g_free(message);
return FALSE;
}

before the malloc (line 612) this fixes the issue.

Discussion

  • Nobody/Anonymous

    Nobody/Anonymous - 2007-05-25

    Logged In: NO

    when i try to send hex data (non empty field) the app just closes. Running Fedora

     

  • Nobody/Anonymous

    Nobody/Anonymous - 2007-05-25

    Logged In: NO

    Sorry, submitted before i had attached the relevant errors:

    so this is a buffer overflow when hex data is attempted to be sent:

    *** buffer overflow detected ***: gtkterm terminated
    ======= Backtrace: =========
    /lib/libc.so.6(__chk_fail+0x41)[0x6ac361]
    /lib/libc.so.6[0x6abb78]
    /lib/libc.so.6(_IO_default_xsputn+0xb4)[0x62d674]
    /lib/libc.so.6(_IO_vfprintf+0x8f1)[0x606e91]
    /lib/libc.so.6(__vsprintf_chk+0xad)[0x6abc2d]
    /lib/libc.so.6(__sprintf_chk+0x30)[0x6abb60]
    gtkterm[0x8053ca6]
    /lib/libgobject-2.0.so.0(g_cclosure_marshal_VOID__VOID+0x49)[0x9670f9]
    /lib/libgobject-2.0.so.0(g_closure_invoke+0x12b)[0x959d9b]
    /lib/libgobject-2.0.so.0[0x96a433]
    /lib/libgobject-2.0.so.0(g_signal_emitv+0x198)[0x96bcb8]
    /usr/lib/libgtk-x11-2.0.so.0[0x15f04b]
    /usr/lib/libgtk-x11-2.0.so.0[0x15f3f8]
    /usr/lib/libgtk-x11-2.0.so.0[0x15f5cb]
    /usr/lib/libgtk-x11-2.0.so.0(gtk_bindings_activate_event+0xd9)[0x15f6e9]
    /usr/lib/libgtk-x11-2.0.so.0[0x353a48]
    /usr/lib/libgtk-x11-2.0.so.0[0x1b8be9]
    /usr/lib/libgtk-x11-2.0.so.0[0x233b00]
    /lib/libgobject-2.0.so.0[0x958589]
    /lib/libgobject-2.0.so.0(g_closure_invoke+0x20d)[0x959e7d]
    /lib/libgobject-2.0.so.0[0x96aa83]
    /lib/libgobject-2.0.so.0(g_signal_emit_valist+0x68f)[0x96b71f]
    /lib/libgobject-2.0.so.0(g_signal_emit+0x29)[0x96bb19]
    /usr/lib/libgtk-x11-2.0.so.0[0x348748]
    /usr/lib/libgtk-x11-2.0.so.0(gtk_window_propagate_key_event+0x107)[0x358847]
    /usr/lib/libgtk-x11-2.0.so.0[0x35b8bc]
    /usr/lib/libgtk-x11-2.0.so.0[0x233b00]
    /lib/libgobject-2.0.so.0[0x958589]
    /lib/libgobject-2.0.so.0(g_closure_invoke+0x12b)[0x959d9b]
    /lib/libgobject-2.0.so.0[0x96aa83]
    /lib/libgobject-2.0.so.0(g_signal_emit_valist+0x68f)[0x96b71f]
    /lib/libgobject-2.0.so.0(g_signal_emit+0x29)[0x96bb19]
    /usr/lib/libgtk-x11-2.0.so.0[0x348748]
    /usr/lib/libgtk-x11-2.0.so.0(gtk_propagate_event+0x1ba)[0x22cf0a]
    /usr/lib/libgtk-x11-2.0.so.0(gtk_main_do_event+0x317)[0x22e0d7]
    /usr/lib/libgdk-x11-2.0.so.0[0x7d9914a]
    /lib/libglib-2.0.so.0(g_main_context_dispatch+0x182)[0x8b5442]
    /lib/libglib-2.0.so.0[0x8b841f]
    /lib/libglib-2.0.so.0(g_main_loop_run+0x1a9)[0x8b87c9]
    /usr/lib/libgtk-x11-2.0.so.0(gtk_main+0xb4)[0x22e554]
    gtkterm[0x80523ca]
    /lib/libc.so.6(__libc_start_main+0xdc)[0x5e0f2c]
    gtkterm[0x804c691]
    ======= Memory map: ========
    00101000-00497000 r-xp 00000000 fd:00 4079123 /usr/lib/libgtk-x11-2.0.so.0.1000.8
    00497000-0049d000 rwxp 00395000 fd:00 4079123 /usr/lib/libgtk-x11-2.0.so.0.1000.8
    0049d000-0049e000 rwxp 0049d000 00:00 0
    0049e000-004bd000 r-xp 00000000 fd:00 1082207 /lib/libexpat.so.0.5.0
    004bd000-004bf000 rwxp 0001e000 fd:00 1082207 /lib/libexpat.so.0.5.0
    004bf000-004c8000 r-xp 00000000 fd:00 1081384 /lib/libnss_files-2.5.so
    004c8000-004c9000 r-xp 00008000 fd:00 1081384 /lib/libnss_files-2.5.so
    004c9000-004ca000 rwxp 00009000 fd:00 1081384 /lib/libnss_files-2.5.so
    004ca000-004cb000 r-xp 00000000 fd:00 4129566 /usr/lib/gconv/ISO8859-1.so
    004cb000-004cd000 rwxp 00000000 fd:00 4129566 /usr/lib/gconv/ISO8859-1.so
    004cd000-004cf000 r-xp 00000000 fd:00 4293211 /usr/lib/pango/1.5.0/modules/pango-basic-fc.so
    004cf000-004d0000 rwxp 00001000 fd:00 4293211 /usr/lib/pango/1.5.0/modules/pango-basic-fc.so
    004d0000-004db000 r-xp 00000000 fd:00 1082205 /lib/libgcc_s-4.1.1-20070105.so.1
    004db000-004dc000 rwxp 0000a000 fd:00 1082205 /lib/libgcc_s-4.1.1-20070105.so.1
    005ae000-005c7000 r-xp 00000000 fd:00 1082190 /lib/ld-2.5.so
    005c7000-005c8000 r-xp 00018000 fd:00 1082190 /lib/ld-2.5.so
    005c8000-005c9000 rwxp 00019000 fd:00 1082190 /lib/ld-2.5.so
    005cb000-00702000 r-xp 00000000 fd:00 1082191 /lib/libc-2.5.so
    00702000-00704000 r-xp 00137000 fd:00 1082191 /lib/libc-2.5.so
    00704000-00705000 rwxp 00139000 fd:00 1082191 /lib/libc-2.5.so
    00705000-00708000 rwxp 00705000 00:00 0
    0070a000-0072f000 r-xp 00000000 fd:00 1082200 /lib/libm-2.5.so
    0072f000-00730000 r-xp 00024000 fd:00 1082200 /lib/libm-2.5.so
    00730000-00731000 rwxp 00025000 fd:00 1082200 /lib/libm-2.5.so
    00733000-00735000 r-xp 00000000 fd:00 1082197 /lib/libdl-2.5.so
    00735000-00736000 r-xp 00001000 fd:00 1082197 /lib/libdl-2.5.so
    00736000-00737000 rwxp 00002000 fd:00 1082197 /lib/libdl-2.5.so
    007Aborted

    i'm a bit stuck without this feature :(

     

  • Robert Pearce

    Robert Pearce - 2012-07-19

    This second (and rather more catastrophic) bug is trivial to fix, by allocating the correct array size at line 607. The code sprintfs "%02X " into the buffer, which is FOUR bytes, not three (because of the terminating null).

    The other patch can also be simplified, as the text being displayed is fixed and therefore does not need to be strdup_printf'd and freed. Also the entry is already empty if its get_text method returns an empty string, so there's no point blanking it. Hence:

    if(strlen(text) ==0)
    {
    Put_temp_message(_("0 byte(s) sent !"), 1500);
    return FALSE;
    }

     

Log in to post a comment.

Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.