GNOME Bugzilla – Bug 760896
gucharmap: Buffer overflow that appears already during compilation
Last modified: 2016-09-19 20:12:27 UTC
Created attachment 319450 [details] address sanitizer stack trace / error message I tried to compile gucharmap with Address Sanitizer (-fsanitize=address in CFLAGS) enabled. This uncovers a heap buffer overflow. I'm not very familiar with the build system stuff there and have a bit trouble tracking down what's causing this, but I'll try to give as much information as I can. According to the address sanitizer error message (attached) this happens in the function gucharmap_chartable_accessible_class_init() in gucharmap-chartable-accessible.c, line 547. That gets called by g_type_class_ref in libgobject, which itself gets called by a number of functions that only seem to exist in a temporary file tmp-introspectlZhRe8/Gucharmap-2.90.c (I haven't found an easy way to tell the build system to not delete that temp file after an error so I can analyze it...) This is the code where this happens: accessible_class->connect_widget_destroyed = gucharmap_chartable_accessible_connect_widget_destroyed; This indicates that accessible_class->connect_widget_destroyed is not within the bounds of the allocated object. There is this error message which might indicate that something with the types is going wrong here: (process:25843): GLib-GObject-WARNING **: invalid class cast from 'GucharmapChartableAccessible' to 'GtkAccessible' This error appears in the git version, in 3.18.2 and 3.16.2. This all only happens with introspection enabled, if I disable it I don't see this error.
Created attachment 319451 [details] output of failing make (including some Glib warnings)
Iirc the problem is that a11y is different during gobject introspection run and during normal run (ie there's some sort of dummy accessible that doesn't derive from GtkAccessible, which means the class cast fails and thus the accessible_class pointer is NULL).
Fixed on master.