GNOME Bugzilla – Bug 702689
Crash on a corrupted (fuzzed) gnumeric file
Last modified: 2013-06-20 19:38:09 UTC
Crash on a corrupted (fuzzed) gnumeric file. Trying to open too wide window? Git versions of glib, goffice, gnumeric, libgsf and libxml2. Test case: http://jutaky.com/fuzzing/gnumeric_case_11083_3399.gnumeric (/home/jutaky/fuzzing/apps/bin/gnumeric-1.12.3:19365): Gdk-WARNING **: Native Windows wider or taller than 65535 pixels are not supported (/home/jutaky/fuzzing/apps/bin/gnumeric-1.12.3:19365): Gdk-ERROR **: The program '/home/jutaky/fuzzing/apps/bin/gnumeric-1.12.3' received an X Window System error. This probably reflects a bug in the program. The error was 'BadValue (integer parameter out of range for operation)'. (Details: serial 210 error_code 2 request_code 12 minor_code 0) (Note to programmers: normally, X errors are reported asynchronously; that is, you will receive the error a while after causing it. To debug your program, run it with the GDK_SYNCHRONIZE environment variable to change this behavior. You can then get a meaningful backtrace from your debugger if you break on the gdk_x_error() function.) Program received signal SIGTRAP, Trace/breakpoint trap. 0x00007ffff3b52fa5 in g_logv (log_domain=0x7ffff5aa7ae6 "Gdk", log_level=G_LOG_LEVEL_ERROR, format=0x7ffff5ab3350 "%s", args=0x7fffffffd408) at gmessages.c:989 989 G_BREAKPOINT (); (gdb) bt
+ Trace 232107
-- Juha Kylmänen Research Assistant, OUSPG
There's a gtk+ bug for this somewhere. 65535 should have been 32767. The fix is obvious, but somehow doesn't get applied.
Okay, I don't see a crash. I note that there are criticals if the file is opened as a second (or later file). In that case teh window is empty and I see: (gnumeric:12947): Gdk-WARNING **: Native Windows wider or taller than 65535 pixels are not supported (gnumeric:12947): Gtk-CRITICAL **: gtk_distribute_natural_allocation: assertion `extra_space >= 0' failed
All of this should be caused by <gmr:Geometry Width="65536" Height="544"/>
The following will fix the issue at hand: ---------------------------------------------- diff --git a/src/xml-sax-read.c b/src/xml-sax-read.c index fbf60ff..5a1d36e 100644 --- a/src/xml-sax-read.c +++ b/src/xml-sax-read.c @@ -601,6 +601,11 @@ xml_sax_wb_view (GsfXMLIn *xin, xmlChar const **attrs) else unknown_attr (xin, attrs); + if (width > 2000) + width = 2000; + if (height > 2000) + height = 2000; + if (width > 0 && height > 0) wb_view_preferred_size (state->wb_view, width, height); } ---------------------------------------------- but we really should use a number closer to the true screen size.
I don't like it in that location. The place to truncate would be wbc-gtk.c, near line 2487. I think we even have a display/screen to query at that point.
Gtk gtk+ bug is bug 698758. (With many duplicates.)
Created attachment 247358 [details] [review] proposed patch (option 1) This patch limits the preferred size to the total screen size.
Created attachment 247359 [details] [review] proposed patch (option 2) This patch limits the preferred size to the monitor size (enlarged to 600 by 200). In view of the maximization code that follows both options 1 and 2 have the same effect. I prefer option 1 because I don't think the current maximization code makes sense. The maximization code makes it impossible to save and restore a window that spans 2 monitors.
Flip a coin.
Head (that's option 1) This problem has been fixed in the development version. The fix will be available in the next major software release. Thank you for your bug report.