After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 567064 - g-t crash with 'perl -e 'print "\xec\x98\x8c";' > /tmp/bug; less /tmp/bug'
g-t crash with 'perl -e 'print "\xec\x98\x8c";' > /tmp/bug; less /tmp/bug'
Status: RESOLVED FIXED
Product: vte
Classification: Core
Component: general
unspecified
Other Linux
: Normal critical
: ---
Assigned To: VTE Maintainers
VTE Maintainers
Depends on:
Blocks:
 
 
Reported: 2009-01-08 19:03 UTC by Christian Persch
Modified: 2009-04-23 15:29 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
Stops the crash due to an invalid sequence (736 bytes, patch)
2009-04-21 02:02 UTC, Robert Ancell 		committed Details | Review

Description Christian Persch 2009-01-08 19:03:36 UTC 
Found on https://bugs.launchpad.net/ubuntu/+source/gnome-terminal/+bug/314826 .

$ MALLOC_CHECK_=2 gdb --args ./gnome-terminal --disable-factory
(gdb) run

Now in the new terminal process, type 
$ perl -e 'print "\xec\x98\x8c";' > /tmp/bug; less /tmp/bug

Program received signal SIGSEGV, Segmentation fault.

+ Trace 211396

Thread 3071256320 (LWP 17068)

  • #0 memcpy
    from /lib/tls/i686/cmov/libc.so.6
  • #1 geteuid
  • #2 _vte_buffer_set_minimum_size
    at buffer.c line 88
  • #3 _vte_conv
    at vteconv.c line 270
  • #4 _vte_conv_cu
    at vteconv.c line 360
  • #5 process_cdata
  • #6 process_block
  • #7 _vte_iso2022_process
  • #8 vte_terminal_process_incoming
    at vte.c line 3788
  • #9 time_process_incoming
    at vte.c line 13906
  • #10 update_repeat_timeout
    at vte.c line 14080
  • #11 g_timeout_dispatch
    at gmain.c line 3253
  • #12 g_main_dispatch
    at gmain.c line 1814
  • #13 g_main_context_dispatch
    at gmain.c line 2367
  • #14 g_main_context_iterate
    at gmain.c line 2448
  • #15 g_main_loop_run
    at gmain.c line 2656
  • #16 gtk_main
    at gtkmain.c line 1199
  • #17 main
    at ../../src/terminal.c line 453 


g-t and vte from svn trunk.
Comment 1 Robert Ancell 2009-04-21 01:51:40 UTC 
The bug is in vteconv.c where _vte_conv_cu() returns -1 and sets inbytes to zero.  The EILSEQ handler then decrements inbytes (which is an unsigned gsize).
Comment 2 Robert Ancell 2009-04-21 02:02:03 UTC 
Created attachment 133007 [details] [review]
Stops the crash due to an invalid sequence

(correction, the file changed is iso2022.c)

This stops the crash,  I'm not sure if it is the correct behaviour however.
Comment 3 Behdad Esfahbod 2009-04-23 04:33:46 UTC 
Can't reproduce.  And the code looks right to me.  Is it on x86_64?
Can you debug inside _vte_conv() and see why we consumed all the input but are returning -1?
Comment 4 Behdad Esfahbod 2009-04-23 04:35:33 UTC 
Ok, reproduced.  Need to set encoding to SHIFT_JIS first.
Comment 5 Behdad Esfahbod 2009-04-23 04:58:01 UTC 
Looks like an iconv bug.
Comment 6 Behdad Esfahbod 2009-04-23 05:19:04 UTC 
Iconv test and bug report:
https://bugzilla.redhat.com/show_bug.cgi?id=497267
Comment 7 Behdad Esfahbod 2009-04-23 15:29:12 UTC 
Ok, I committed your patch to work around the iconv bug.