Menu
▾
▴
[Tcl-bugs] [ tktoolkit-Bugs-3071836 ] Crash/Tcl_Panic on WinXP saving file to C:\
|
From: SourceForge.net <no...@so...> - 2010-09-20 11:43:13
|
Bugs item #3071836, was opened at 2010-09-20 13:43 Message generated for change (Tracker Item Submitted) made by twylite You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=112997&aid=3071836&group_id=12997 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: 37. [tk_get*File] Group: development: 8.6b1.1 Status: Open Resolution: None Priority: 5 Private: No Submitted By: Twylite (twylite) Assigned to: Jeffrey Hobbs (hobbs) Summary: Crash/Tcl_Panic on WinXP saving file to C:\ Initial Comment: Using tk_getSaveFile may cause a Tcl_Panic() if a particular sequence is used to browse to C:\ . Steps to reproduce: * Running on Win32 (confirmed on WinXP SP3 with latest patches) * Using Tcl 8.6b1.2 (from CVS 2010/08/31) * Built with OPTS=threads (debug build uses OPTS=threads,symbols STATS=memdbg) * In tclsh or wish execute the following script: package require Tk wm de . tk_getSaveFile -parent . -initialfile "SomeFile" * Using the "Look in" dropdown or the navigation bar on the left, select "Desktop". Then (double-)click to select "My Computer", then "Local Disk (C:)" * Select "Save" * Interp will panic. Cause: * In GetFileNameW() (win\tkWinDialog.c) the call to ckfree(ofnData.dynFileBuffer) at the end of the proc detects a memory corruption and crashes / panics. * The corruption occurs in OFNHookProcW() (win\tkWinDialog.c) where "dirsize = SendMessageW(hdlg, CDM_GETFOLDERPATH, 0, 0)" may set dirsize to < 0 on failure. Walking through the buffer manipulation logic one sees that the terminating NULL of the directory is replaced with a backslash, but with dirsize==-1 this corrupts the guard bytes on the buffer. * CDM_GETFOLDERPATH appears to return an error (< 0) when selecting an item in the "My Computer" context (since "My Computer" does not correspond to a folder in the filesystem). Solution: Apply the following patch to empty the buffer when dirsize < 0 : Index: tkWinDialog.c =================================================================== RCS file: /cvsroot/tktoolkit/tk/win/tkWinDialog.c,v retrieving revision 1.77 diff -r1.77 tkWinDialog.c 1032c1032,1036 < if (selsize > 1) { --- > /* > * Just empty the buffer if dirsize indicates an error [Bug XXXXXX] > * > */ > if ((selsize > 1) && (dirsize > 0)) { ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=112997&aid=3071836&group_id=12997 |
