#2840 Crash/Tcl_Panic on WinXP saving file to C:\

obsolete: 8.6b1.1
closed-fixed
8
2010-11-24
2010-09-20
Twylite
No

Using tk_getSaveFile may cause a Tcl_Panic() if a particular sequence is used to browse to C:\ .

Steps to reproduce:
* Running on Win32 (confirmed on WinXP SP3 with latest patches)
* Using Tcl 8.6b1.2 (from CVS 2010/08/31)
* Built with OPTS=threads (debug build uses OPTS=threads,symbols STATS=memdbg)
* In tclsh or wish execute the following script:
package require Tk
wm de .
tk_getSaveFile -parent . -initialfile "SomeFile"
* Using the "Look in" dropdown or the navigation bar on the left, select "Desktop". Then (double-)click to select "My Computer", then "Local Disk (C:)"
* Select "Save"
* Interp will panic.

Cause:
* In GetFileNameW() (win\tkWinDialog.c) the call to ckfree(ofnData.dynFileBuffer) at the end of the proc detects a memory corruption and crashes / panics.
* The corruption occurs in OFNHookProcW() (win\tkWinDialog.c) where "dirsize = SendMessageW(hdlg, CDM_GETFOLDERPATH, 0, 0)" may set dirsize to < 0 on failure. Walking through the buffer manipulation logic one sees that the terminating NULL of the directory is replaced with a backslash, but with dirsize==-1 this corrupts the guard bytes on the buffer.
* CDM_GETFOLDERPATH appears to return an error (< 0) when selecting an item in the "My Computer" context (since "My Computer" does not correspond to a folder in the filesystem).

Solution:
Apply the following patch to empty the buffer when dirsize < 0 :

Index: tkWinDialog.c

RCS file: /cvsroot/tktoolkit/tk/win/tkWinDialog.c,v
retrieving revision 1.77
diff -r1.77 tkWinDialog.c
1032c1032,1036
< if (selsize > 1) {
---
> /*
> * Just empty the buffer if dirsize indicates an error [Bug XXXXXX]
> *
> */
> if ((selsize > 1) && (dirsize > 0)) {

Discussion

  • Twylite

    Twylite - 2010-09-20
    • priority: 5 --> 8
     
  • Twylite

    Twylite - 2010-09-20

    There is probably a corresponding bug in OFNHookProcA(), but I have not verified this.

     
  • Jan Nijtmans

    Jan Nijtmans - 2010-11-24

    I reproduced it, and hereby confirming that the proposed patch fixes the problem.

    Fixed in HEAD

    Backport?

     
  • Jan Nijtmans

    Jan Nijtmans - 2010-11-24
    • status: open --> open-fixed
     
  • Jan Nijtmans

    Jan Nijtmans - 2010-11-24
    • status: open-fixed --> closed-fixed
     
  • Jan Nijtmans

    Jan Nijtmans - 2010-11-24

    It looks like this was introduced by:

    2010-01-05 Pat Thoyts <patthoyts@users.sourceforge.net>

    * win/tkWinDialog.c: [Patch 289825]: Enable unlimited multiple file
    selection from the open files dialog. (pawlak,fellows,thoyts)

    Fix backported to Tk 8.5. Not needed for Tk 8.4, because [Patch 289825]
    was never applied there.

     

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks