GNOME Bugzilla – Bug 51644
gtk+ 1.2.9 crashes in wcstombs()
Last modified: 2011-02-04 16:09:02 UTC
Package: gtk+ Version: 1.2.9 On Linux (Mandrake 7.0 RE, kernel 2.2.18, XFree86-3.3.6, glibc-2.1.3) gtk+-1.2.9 compiled with --with-native-locale crashes inside the wcstombs() function. The crash can be reproduced with testgtk with LC_ALL=ru_RU.KOI8-R (it does not happen with LC_ALL=C): 1) Click "entry" in the main window. 2) In the "entry" window, delete all text from the combo box. The program aborts with the message: wcsrtombs.c:116: __wcsrtombs: Assertion `data.outbuf != (unsigned char *) dst' failed. The crash happens when gdk_wcstombs() is called with an empty string. In this case, inside _gdk_wcstombs_len() the `len' variable becomes 0, and wcstombs() is called with len=0 and dies. I don't know if wcstombs() is supposed to handle this case (if it should, this is a glibc bug). The following patch fixes the problem: --- gtk+-1.2.9/gdk/gdkim.c.orig Tue Feb 27 10:49:29 2001 +++ gtk+-1.2.9/gdk/gdkim.c Sun Mar 4 16:03:16 2001 @@ -1513,7 +1513,8 @@ result = g_malloc (len + 1); - wcstombs (result, (wchar_t *)src, len); + if (len != 0) + wcstombs (result, (wchar_t *)src, len); result[len] = '\0'; if (p != buf) ------- Bug moved to this database by unknown@bugzilla.gnome.org 2001-03-04 08:27 ------- The original reporter (vsu@mivlgu.murom.ru) of this bug does not have an account here. Reassigning to the exporter, unknown@bugzilla.gnome.org. Reassigning to the default owner of the component, gtk-bugs@gtk.org.
Since glibc-2.2 does not exhibit the same problem, I'd say this is a glibc-2.1.3 bug. (And no, wcstombs isn't supposed to do that in any case.) However, since the check is simple, I'll add it if we end up doing a 1.2.10.
There are some more problems in this function. Sometimes wctomb() returns -1, and len=-1 results in a coredump. I did not have traced the source of invalid wide characters (which cause wctomb() to fail), but may be we should make _gdk_wcstombs_len() more robust with respect to this? Also, what does the official specification say about wcstombs()? If the specification does not require correct handling of len=0, we must not pass it regardless of what glibc 2.2 does in this respect.
Created attachment 395 [details] [review] Fix problems with _gdk_wcstombs_len()
The last patch is more robust (it will not die with SIGSEGV even if the string contains wide characters which cannot be converted).
The problem with wctomb is most likely a problem with GtkEntry improperly converting between wide and multibyte characters that will be fixed in 1.2.10. I don't think we try to recover in that case, since it will always either be: - A bug in the caller - A bug in the C library But complaining in that case is probably good, so I've committed the code: for (i=0; (src_len < 0 || i < src_len) && src[i]; i++) - len += wctomb (p, src[i]); + { + int charlen = wctomb (p, src[i]); + g_return_if_fail (charlen < 0, NULL); + + len += charlen; + } So, unless you've compiled GTK+ --disable-debug, there will be a warning message printed out (and probably a segfault immediately after from the NULL return. But I don't think there is any reasonably recovery here.)
*** Bug 59722 has been marked as a duplicate of this bug. ***
*** Bug 60159 has been marked as a duplicate of this bug. ***
*** Bug 61324 has been marked as a duplicate of this bug. ***
*** Bug 52303 has been marked as a duplicate of this bug. ***