After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 793480 - Crash in pango_fudge_colors()
Crash in pango_fudge_colors()
Status: RESOLVED FIXED
Product: vte
Classification: Core
Component: general
unspecified
Other Linux
: Normal normal
: ---
Assigned To: VTE Maintainers
VTE Maintainers
Depends on:
Blocks:
 
 
Reported: 2018-02-15 09:05 UTC by Carlos Garnacho
Modified: 2018-02-15 14:26 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
widget: Protect fudge_pango_colors() against all-inclusive PangoAttributes (1.12 KB, patch)
2018-02-15 09:06 UTC, Carlos Garnacho 		committed Details | Review

Description Carlos Garnacho 2018-02-15 09:05:43 UTC 
IMs have the ability to provide a PangoAttrList for the pre-edit string, and it is legal for those to rely on the default PangoAttribute [0,G_MAXUINT] extents as this style only applies to the pre-edit string.

However the call to pango_fudge_colors() seem to rely on attribute extents being within the VteCell range. I get this crash with the wayland IM recently merged on gtk+:

Thread 1 "gnome-terminal-" received signal SIGSEGV, Segmentation fault.
0x00007fbfd79efb06 in VteTerminalPrivate::fudge_pango_colors (
    this=this@entry=0x5569c7426570, 
    attributes=attributes@entry=0x5569c7163d20, cells=0x5569c77be9e0, 
    n=4294967295) at vte.cc:9172
9172                    gint len = g_unichar_to_utf8 (cells[i].c, ubuf);
(gdb) bt

+ Trace 238395

  • #0 VteTerminalPrivate::fudge_pango_colors
    at vte.cc line 9172
  • #1 VteTerminalPrivate::translate_pango_cells
    at vte.cc line 9359
  • #2 VteTerminalPrivate::draw_cells_with_attributes
    at vte.cc line 9399
  • #3 VteTerminalPrivate::paint_im_preedit_string
    at vte.cc line 10012
  • #4 VteTerminalPrivate::widget_draw
    at vte.cc line 10131
  • #5 vte_terminal_draw
    at vtegtk.cc line 306
  • #6 gtk_widget_draw_internal
    at gtkwidget.c line 7026
  • #7 gtk_container_propagate_draw
    at gtkcontainer.c line 3838
  • #8 gtk_container_draw
    at gtkcontainer.c line 3658
  • #9 gtk_box_draw_contents
    at gtkbox.c line 448
  • #10 gtk_css_custom_gadget_draw
    at gtkcsscustomgadget.c line 159
  • #11 gtk_css_gadget_draw
    at gtkcssgadget.c line 877
  • #12 gtk_box_draw
    at gtkbox.c line 457
  • #13 gtk_widget_draw_internal
    at gtkwidget.c line 7026
  • #14 gtk_container_propagate_draw
    at gtkcontainer.c line 3838
  • #15 gtk_container_draw
    at gtkcontainer.c line 3658
  • #16 gtk_widget_draw_internal
    at gtkwidget.c line 7026
  • #17 gtk_container_propagate_draw
    at gtkcontainer.c line 3838
  • #18 gtk_notebook_draw_stack
    at gtknotebook.c line 2515
  • #19 gtk_css_custom_gadget_draw
    at gtkcsscustomgadget.c line 159
  • #20 gtk_css_gadget_draw
    at gtkcssgadget.c line 877
  • #21 gtk_box_gadget_draw
    at gtkboxgadget.c line 512
  • #22 gtk_css_gadget_draw
    at gtkcssgadget.c line 877
  • #23 gtk_notebook_draw
    at gtknotebook.c line 2530
  • #24 gtk_widget_draw_internal
    at gtkwidget.c line 7026
  • #25 gtk_container_propagate_draw
    at gtkcontainer.c line 3838
  • #26 gtk_container_draw
    at gtkcontainer.c line 3658
  • #27 gtk_box_draw_contents
    at gtkbox.c line 448
  • #28 gtk_css_custom_gadget_draw
    at gtkcsscustomgadget.c line 159
  • #29 gtk_css_gadget_draw
    at gtkcssgadget.c line 877
  • #30 gtk_box_draw
    at gtkbox.c line 457
  • #31 gtk_widget_draw_internal
    at gtkwidget.c line 7026
  • #32 gtk_container_propagate_draw
    at gtkcontainer.c line 3838
  • #33 gtk_container_draw
    at gtkcontainer.c line 3658
  • #34 gtk_window_draw
    at gtkwindow.c line 10396
  • #35 terminal_window_draw
  • #36 gtk_widget_draw_internal
    at gtkwidget.c line 7026
  • #37 gtk_widget_render
    at gtkwidget.c line 17536
  • #38 gtk_main_do_event
    at gtkmain.c line 1838
  • #39 _gdk_event_emit
    at gdkevents.c line 73
  • #40 _gdk_window_process_updates_recurse_helper
    at gdkwindow.c line 3852
  • #41 _gdk_window_process_updates_recurse
    at gdkwindow.c line 3909
  • #42 gdk_window_impl_process_updates_recurse
    at gdkwindowimpl.c line 333
  • #43 gdk_window_process_updates_internal
    at gdkwindow.c line 3998
  • #44 gdk_window_process_updates_with_mode
    at gdkwindow.c line 4192
  • #45 gdk_window_paint_on_clock
    at gdkwindow.c line 11700
  • #46 g_cclosure_marshal_VOID__VOID
    at /home/carlos/Source/gnome/glib/gobject/gmarshal.c line 875
  • #47 g_closure_invoke
    at /home/carlos/Source/gnome/glib/gobject/gclosure.c line 804
  • #48 signal_emit_unlocked_R
    at /home/carlos/Source/gnome/glib/gobject/gsignal.c line 3635
  • #49 g_signal_emit_valist
    at /home/carlos/Source/gnome/glib/gobject/gsignal.c line 3391
  • #50 g_signal_emit
    at /home/carlos/Source/gnome/glib/gobject/gsignal.c line 3447
  • #51 _gdk_frame_clock_emit_paint
    at gdkframeclock.c line 640
  • #52 gdk_frame_clock_paint_idle
    at gdkframeclockidle.c line 430
  • #53 gdk_threads_dispatch
    at gdk.c line 743
  • #54 g_timeout_dispatch
    at /home/carlos/Source/gnome/glib/glib/gmain.c line 4650
  • #55 g_main_dispatch
    at /home/carlos/Source/gnome/glib/glib/gmain.c line 3177
  • #56 g_main_context_dispatch
    at /home/carlos/Source/gnome/glib/glib/gmain.c line 3830
  • #57 g_main_context_iterate
    at /home/carlos/Source/gnome/glib/glib/gmain.c line 3903
  • #58 g_main_context_iteration
    at /home/carlos/Source/gnome/glib/glib/gmain.c line 3964
  • #59 g_application_run
    at /home/carlos/Source/gnome/glib/gio/gapplication.c line 2482
  • #60 main 

Other places (eg. apply_pango_attr() ) seem to protect against this, I'm attaching a patch around the same lines.
Comment 1 Carlos Garnacho 2018-02-15 09:06:34 UTC 
Created attachment 368366 [details] [review]
widget: Protect fudge_pango_colors() against all-inclusive PangoAttributes

PangoAttribute documentation says "By default an attribute will have an
all-inclusive range of [0,G_MAXUINT]". It seems legal to get that from IMs
(referring to the pre-edit string), however the only caller of this
function just relies on the attribute being within the VteCells range,
leading to crashes.
Comment 2 Christian Persch 2018-02-15 12:20:56 UTC 
Comment on attachment 368366 [details] [review]
widget: Protect fudge_pango_colors() against all-inclusive PangoAttributes

Thanks!
Comment 3 Carlos Garnacho 2018-02-15 14:26:24 UTC 
Cheers :). Pushed to master, will leave cherry-picking (if necessary) to you.

Attachment 368366 [details] pushed as 34a2b58 - widget: Protect fudge_pango_colors() against all-inclusive PangoAttributes