Bug 433776 – gnome-terminal crashes when open preedit area

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 433776 - gnome-terminal crashes when open preedit area


Summary:	gnome-terminal crashes when open preedit area


Status:	RESOLVED FIXED

Product:	vte
Classification:	Core
Component:	general
Version:	unspecified
Hardware:	Other opensolaris

Importance:	Normal normal
Target Milestone:	---
Assigned To:	VTE Maintainers
QA Contact:	VTE Maintainers

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2007-04-27 03:22 UTC by Takao Fujiwara
Modified:	2007-04-27 10:10 UTC

See Also:
GNOME target:	---
GNOME version:	---

Attachments
patch for src/vte.c (555 bytes, patch) 2007-04-27 03:28 UTC, Takao Fujiwara	none	Details \| Review
Use the validated preedit_cursor var (955 bytes, patch) 2007-04-27 07:53 UTC, Chris Wilson	none	Details \| Review

Description Takao Fujiwara 2007-04-27 03:22:07 UTC

gnome-terminal crashes when open preedit area because of the buffer overflow.

To reproduce:
1. Invoke gnome-terminal on ja_JP.UTF-8.
2. Input Ctrl + Space and open the input method.
3. Input 'a' x 9 to 20 times.

I'm attaching the patch.

Comment 1 Takao Fujiwara 2007-04-27 03:28:32 UTC

Created attachment 87116 [details] [review]
patch for src/vte.c

Attached the patch.

This is caused because len == terminal->pvt->im_pree
dit_cursor and items[terminal->pvt->im_preedit_cursor] is overlow.

Could you review the patch?

Comment 2 Chris Wilson 2007-04-27 07:53:20 UTC

Created attachment 87126 [details] [review]
Use the validated preedit_cursor var

I think this patch makes more sense given the effort that went into discovering the index that corresponds to the cursor position...

Comment 3 Chris Wilson 2007-04-27 09:05:49 UTC

r1886: 2007-04-27  Chris Wilson  <chris@chris-wilson.co.uk>

	Bug 433776 – gnome-terminal crashes when open preedit area

	* src/vte.c (vte_terminal_paint): Use the validated cursor index.

Comment 4 Takao Fujiwara 2007-04-27 09:13:32 UTC

Hi Chris,

Thanks much for your quick integration.
However when I check your patch, the cursor position is changed by increasing preedit strings. I'm not sure my problem.

Please double check it.

Comment 5 Chris Wilson 2007-04-27 09:22:39 UTC

As I read the code I assumed it was translating a byte offset into a character offset. However the docs for gtk_im_context_get_preedit_string, say:
 * @cursor_pos: location to store position of cursor (in characters)
 *              within the preedit string.  
which suggests that preedit_cursor is completely misleading...

Comment 6 Chris Wilson 2007-04-27 09:35:12 UTC

Sorry about that, I should have been more suspicious about why it was still using im_preedit_cursor even though it had found a validated index. The end result is I've reproduced your patch (ensure that the im_preedit_cursor is within bounds and use it as index into the items array) and thrown away some unused and misleading code.

r1887: 2007-04-27  Chris Wilson  <chris@chris-wilson.co.uk>

	Bug 433776 – gnome-terminal crashes when open preedit area
	Take 2.

	* src/vte.c (vte_terminal_paint): The preedit_cursor is returned by
	the input modules in characters not in bytes as assumed by the
	validation.

Comment 7 Takao Fujiwara 2007-04-27 10:10:48 UTC

OK, I confirmed your change. Thanks.