GNOME Bugzilla – Bug 793480
Crash in pango_fudge_colors()
Last modified: 2018-02-15 14:26:29 UTC
IMs have the ability to provide a PangoAttrList for the pre-edit string, and it is legal for those to rely on the default PangoAttribute [0,G_MAXUINT] extents as this style only applies to the pre-edit string. However the call to pango_fudge_colors() seem to rely on attribute extents being within the VteCell range. I get this crash with the wayland IM recently merged on gtk+: Thread 1 "gnome-terminal-" received signal SIGSEGV, Segmentation fault. 0x00007fbfd79efb06 in VteTerminalPrivate::fudge_pango_colors ( this=this@entry=0x5569c7426570, attributes=attributes@entry=0x5569c7163d20, cells=0x5569c77be9e0, n=4294967295) at vte.cc:9172 9172 gint len = g_unichar_to_utf8 (cells[i].c, ubuf); (gdb) bt
+ Trace 238395
Other places (eg. apply_pango_attr() ) seem to protect against this, I'm attaching a patch around the same lines.
Created attachment 368366 [details] [review] widget: Protect fudge_pango_colors() against all-inclusive PangoAttributes PangoAttribute documentation says "By default an attribute will have an all-inclusive range of [0,G_MAXUINT]". It seems legal to get that from IMs (referring to the pre-edit string), however the only caller of this function just relies on the attribute being within the VteCells range, leading to crashes.
Comment on attachment 368366 [details] [review] widget: Protect fudge_pango_colors() against all-inclusive PangoAttributes Thanks!
Cheers :). Pushed to master, will leave cherry-picking (if necessary) to you. Attachment 368366 [details] pushed as 34a2b58 - widget: Protect fudge_pango_colors() against all-inclusive PangoAttributes