After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 389538 - crash in Terminal: nothing
crash in Terminal: nothing
Status: RESOLVED FIXED
Product: vte
Classification: Core
Component: general
unspecified
Other All
: High critical
: ---
Assigned To: VTE Maintainers
VTE Maintainers
: 158238 365287 399648 421367 422862 438031 438389 438413 444203 445209 464765 477963 (view as bug list)
Depends on:
Blocks:
 
 
Reported: 2006-12-25 19:33 UTC by kmberry
Modified: 2008-10-12 12:22 UTC
See Also:
GNOME target: ---
GNOME version: 2.17/2.18

Attachments
Protect against building a <=0 length string. (619 bytes, patch)
2007-01-22 08:48 UTC, Chris Wilson 		none Details | Review
Actually protect against building a <= length string. (619 bytes, patch)
2007-01-22 08:50 UTC, Chris Wilson 		committed Details | Review

Description kmberry 2006-12-25 19:33:50 UTC 
Version: 2.16.1

What were you doing when the application crashed?
nothing


Distribution: Fedora Core release 6 (Rawhide)
Gnome Release: 2.17.2 2006-11-07 (Red Hat, Inc)
BugBuddy Version: 2.17.3

System: Linux 2.6.19-prep #2 Sun Dec 24 23:23:09 EST 2006 i686
X Vendor: The X.Org Foundation
X Vendor Release: 70101000
Selinux: Enforcing
Accessibility: Enabled

Memory status: size: 69705728 vsize: 0 resident: 69705728 share: 0 rss: 25825280 rss_rlim: 0
CPU usage: start_time: 1167073236 rtime: 0 utime: 2851 stime: 0 cutime:1472 cstime: 0 timeout: 1379 it_real_value: 0 frequency: 4

Backtrace was generated from '/usr/bin/gnome-terminal'

(no debugging symbols found)
Using host libthread_db library "/lib/libthread_db.so.1".
(no debugging symbols found)
[Thread debugging using libthread_db enabled]
[New Thread -1208142128 (LWP 3748)]
[New Thread -1214522480 (LWP 3755)]
(no debugging symbols found)
0x0078b402 in ?? ()

+ Trace 96927

Thread 1 (Thread -1208142128 (LWP 3748))

  • #0 ??
  • #1 waitpid
    from /lib/libpthread.so.0
  • #2 libgnomeui_module_info_get
    from /usr/lib/libgnomeui-2.so.0
  • #3 <signal handler called>
  • #4 ??
  • #5 raise
    from /lib/libc.so.6
  • #6 abort
    from /lib/libc.so.6
  • #7 g_logv
    from /lib/libglib-2.0.so.0
  • #8 g_log
    from /lib/libglib-2.0.so.0
  • #9 g_malloc
    from /lib/libglib-2.0.so.0
  • #10 vte_terminal_accessible_get_type
    from /usr/lib/libvte.so.9
  • #11 atk_text_get_text_at_offset
    from /usr/lib/libatk-1.0.so.0
  • #12 spi_text_interface_new
    from /usr/lib/libspi.so.0
  • #13 _ORBIT_skel_small_Accessibility_Text_getTextAtOffset
    from /usr/lib/libspi.so.0
  • #14 IOP_start_profiles
    from /usr/lib/libORBit-2.so.0
  • #15 ORBit_OAObject_invoke
    from /usr/lib/libORBit-2.so.0
  • #16 ORBit_small_invoke_adaptor
    from /usr/lib/libORBit-2.so.0
  • #17 ORBit_recv_buffer_return_sys_exception
    from /usr/lib/libORBit-2.so.0
  • #18 ORBit_recv_buffer_return_sys_exception
    from /usr/lib/libORBit-2.so.0
  • #19 ORBit_skel_class_register
    from /usr/lib/libORBit-2.so.0
  • #20 ORBit_handle_request
    from /usr/lib/libORBit-2.so.0
  • #21 giop_connection_handle_input
    from /usr/lib/libORBit-2.so.0
  • #22 link_connection_state_changed
    from /usr/lib/libORBit-2.so.0
  • #23 link_io_add_watch_fd
    from /usr/lib/libORBit-2.so.0
  • #24 g_main_context_dispatch
    from /lib/libglib-2.0.so.0
  • #25 g_main_context_check
    from /lib/libglib-2.0.so.0
  • #26 g_main_loop_run
    from /lib/libglib-2.0.so.0
  • #27 gtk_main
    from /usr/lib/libgtk-x11-2.0.so.0
  • #28 g_cclosure_marshal_VOID__OBJECT
  • #29 __libc_start_main
    from /lib/libc.so.6
  • #30 g_cclosure_marshal_VOID__OBJECT
  • #0 ?? 


----------- .xsession-errors (1840 sec old) ---------------------
COMM_FAILURE
Traceback (most recent call last):
  File "/usr/lib/python2.5/site-packages/orca/atspi.py", line 680, in __init__
    self.accessible.ref()
COMM_FAILURE
Traceback (most recent call last):
  File "/usr/lib/python2.5/site-packages/orca/atspi.py", line 680, in __init__
    self.accessible.ref()
COMM_FAILURE
Traceback (most recent call last):
  File "/usr/lib/python2.5/site-packages/orca/atspi.py", line 680, in __init__
    self.accessible.ref()
COMM_FAILURE
...Too much output, ignoring rest...
--------------------------------------------------
Comment 1 Mariano Suárez-Alvarez 2007-01-21 00:02:37 UTC 
Looks like a11y-related. Maybe they'll know. -->
Comment 2 Li Yuan 2007-01-22 07:38:28 UTC 
Yes, I knew this bug. Someone tell us the bug by mail some days ago. I think it is a bug in vte. In vte_terminal_accessible_get_text, crashed in g_malloc, the parameter is unreasonable huge, even start_offset=560, end_offset=561.
Comment 3 Li Yuan 2007-01-22 07:40:58 UTC 
The trace maybe more useful.

Program received signal SIGABRT, Aborted.

+ Trace 104216

Thread NaN (LWP 4841)

  • #0 ??
  • #1 ??
  • #2 ??
  • #3 ??
  • #4 raise
    from /lib/tls/i686/cmov/libc.so.6
  • #5 abort
    from /lib/tls/i686/cmov/libc.so.6
  • #6 IA__g_logv
    at gmessages.c line 497
  • #7 IA__g_log
    at gmessages.c line 517
  • #8 IA__g_malloc
    at gmem.c line 135
  • #9 vte_terminal_accessible_get_text
    at /home/kenny/src/vte/vte-0.15.0/./src/vteaccess.c line 982
  • #10 vte_terminal_accessible_get_text_somewhere
    at /home/kenny/src/vte/vte-0.15.0/./src/vteaccess.c line 1164
  • #11 vte_terminal_accessible_get_text_at_offset
    at /home/kenny/src/vte/vte-0.15.0/./src/vteaccess.c line 1212
  • #12 atk_text_get_text_at_offset
    at atktext.c line 386
  • #13 impl_getTextAtOffset
    at text.c line 128
  • #14 _ORBIT_skel_small_Accessibility_Text_getTextAtOffset
    at Accessibility-common.c line 700
  • #15 ??
    from /usr/lib/libORBit-2.so.0
  • #16 ??
  • #17 ??
  • #18 ??
  • #19 ??
  • #20 ??
  • #21 impl_getTextAfterOffset
    at text.c line 110
  • #22 ORBit_OAObject_invoke
    from /usr/lib/libORBit-2.so.0
  • #23 ORBit_small_invoke_adaptor
    from /usr/lib/libORBit-2.so.0
  • #24 ??
    from /usr/lib/libORBit-2.so.0
  • #25 ??
  • #26 ??
  • #27 Accessibility_Text__imethods
    from /usr/lib/libspi.so.0
  • #28 ??
  • #29 ??
  • #30 ??
    from /usr/lib/libORBit-2.so.0
  • #31 ??
  • #32 ??
    from /usr/lib/libglib-2.0.so.0
  • #33 ??
  • #34 ??
  • #35 ??
  • #36 pthread_mutex_lock
    from /lib/tls/i686/cmov/libpthread.so.0
  • #37 ??
    from /usr/lib/libORBit-2.so.0
  • #38 ??
  • #39 ??
  • #40 ?? 






Comment 4


Mariano Suárez-Alvarez





          2007-01-22 08:38:19 UTC
        



Do you know how to reproduce this?






Comment 5


Chris Wilson





          2007-01-22 08:48:37 UTC
        



Created attachment 80863 [details] [review]
Protect against building a <=0 length string.

This papers over the bug (as is apparent, it is a missing guard) but does not explain how we got into that state in the first place.






Comment 6


Chris Wilson





          2007-01-22 08:50:48 UTC
        



Created attachment 80865 [details] [review]
Actually protect against building a  <= length string.

-ENOCOFFEE






Comment 7


Chris Wilson





          2007-01-22 11:01:11 UTC
        



Committed the guard. (Safety first and I wish to work on vteaccess today ;)

r1491: 2007-01-22  Chris Wilson <chris@chris-wilson.co.uk>

	Bug 389538 – crash in Terminal: nothing

	* src/vteaccess.c: (vte_terminal_accessible_get_text):
		Guard against negative length strings.








Comment 8


Chris Wilson





          2007-01-22 17:02:08 UTC
        



*** Bug 158238 has been marked as a duplicate of this bug. ***






Comment 9


Chris Wilson





          2007-01-23 10:47:36 UTC
        



*** Bug 365287 has been marked as a duplicate of this bug. ***






Comment 10


Chris Wilson





          2007-01-23 22:47:09 UTC
        



*** Bug 399648 has been marked as a duplicate of this bug. ***






Comment 11


Susana





          2007-03-24 14:56:45 UTC
        



*** Bug 421367 has been marked as a duplicate of this bug. ***






Comment 12


palfrey





          2007-04-26 17:11:34 UTC
        



*** Bug 422862 has been marked as a duplicate of this bug. ***






Comment 13


palfrey





          2007-05-13 15:21:17 UTC
        



*** Bug 438031 has been marked as a duplicate of this bug. ***






Comment 14


palfrey





          2007-05-15 13:40:41 UTC
        



*** Bug 438389 has been marked as a duplicate of this bug. ***






Comment 15


palfrey





          2007-05-15 13:40:44 UTC
        



*** Bug 438413 has been marked as a duplicate of this bug. ***






Comment 16


Pedro Villavicencio





          2007-06-08 02:12:07 UTC
        



*** Bug 445209 has been marked as a duplicate of this bug. ***






Comment 17


Pedro Villavicencio





          2007-06-08 02:13:18 UTC
        



*** Bug 444203 has been marked as a duplicate of this bug. ***






Comment 18


Bruno Boaventura





          2007-08-08 20:40:23 UTC
        



*** Bug 464765 has been marked as a duplicate of this bug. ***






Comment 19


Cosimo Cecchi





          2007-09-18 09:58:29 UTC
        



*** Bug 477963 has been marked as a duplicate of this bug. ***






Comment 20


Christian Persch





          2008-10-12 12:22:12 UTC
        



Dups are from <= g-t 2.16, plus patch committed -> FIXED.