GNOME Bugzilla – Bug 740347
stream: read from beyond the head
Last modified: 2021-06-10 14:58:19 UTC
Apply the attached patch (a single assertion that you don't try to read from beyond the head of a stream). Start producing heavy output, and drag the scrollbar up-n-down crazily with the mouse. In about 10 second, you'll get a crash on that failing assertion.
Created attachment 290947 [details] [review] The assertion that fails sometimes
My analysis was probably wrong. I assume I accidentally released the touchpad and then grabbed the window border. Attempting to resize the window with this assertion fails immediately. Apparently the ring code heavily relies on attempting to read from an out of bound position (on either side), and getting a FALSE. Changing this would be cumbersome (I'd need to understand each occurrence to see whether this is an intended behavior there), probably it's better just to document this expectation in vtestream. A minor problem with this is that the caller can't distinguish an out-of-bounds from an actual error.
Oops, it's even uglier than I thought :) In ring.c, at "Check the previous attr record" we might easily read 16 bytes starting at the offset (gsize)(-16) [that is, up to offset 0]. This causes an assertion failure with bug 738601 comment 51's patch: start vte, resize horizontally, then press a letter => crash. The condition there to detect out-of-bounds coordinates doesn't properly catch an interval starting at a giant value (a small negative, stored in gsize which in unsigned) and ending at 0.
Comment on attachment 290947 [details] [review] The assertion that fails sometimes needs-work, based on comment 2 and comment 3.
-- GitLab Migration Automatic Message -- This bug has been migrated to GNOME's GitLab instance and has been closed from further activity. You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.gnome.org/GNOME/vte/-/issues/2145.