Ubuntu
gtk+2.0 package

Write past end of buffer in gtk/gtkrc.c gtk_rc_add_default_file

Bug #1760240 reported by Kirk Wolff
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
gtk+2.0 (Ubuntu)
New
Low
Unassigned

Bug Description

In all repositories there is a buffer-overrun in the function gtk_rc_add_default_file(), where if the dynamic array gtk_rc_default_files has exactly max_default_files entries, a NULL will be written past the allocated memory. The resize function does not resize the null terminated array in this case, and address sanitizer (and valgrind) detects a memory access violation in any code leading to this function.

The following code is in error ( from https://bazaar.launchpad.net/~ubuntu-branches/ubuntu/precise/gtk+2.0/precise-proposed/view/head:/gtk/gtkrc.c#L596 )
{{{
  for (n = 0; n < max_default_files; n++)
    {
      if (gtk_rc_default_files[n] == NULL)
 break;
    }

  if (n == max_default_files)
    {
      max_default_files += 10;
      gtk_rc_default_files = g_renew (gchar*, gtk_rc_default_files, max_default_files);
    }

  gtk_rc_default_files[n++] = g_strdup (filename);
  gtk_rc_default_files[n] = NULL;
}}}

Proposed modified implementation is as follows:
{{{
  for (n = 0; n < (max_default_files-1); n++)
    {
      if (gtk_rc_default_files[n] == NULL)
 break;
    }

  if (n >= (max_default_files-1))
    {
      max_default_files += 10;
      gtk_rc_default_files = g_renew (gchar*, gtk_rc_default_files, max_default_files);
    }

  gtk_rc_default_files[n++] = g_strdup (filename);
  gtk_rc_default_files[n] = NULL;
}}}

This implementation should be changed in all branches:

https://bazaar.launchpad.net/~ubuntu-branches/ubuntu/trusty/gtk+2.0/trusty/view/head:/gtk/gtkrc.c#L569
https://bazaar.launchpad.net/~ubuntu-branches/ubuntu/trusty/gtk+2.0/trusty-updates/view/head:/gtk/gtkrc.c#L569
https://bazaar.launchpad.net/~ubuntu-branches/ubuntu/trusty/gtk+2.0/trusty-proposed/view/head:/gtk/gtkrc.c#L569
https://bazaar.launchpad.net/~ubuntu-branches/ubuntu/precise/gtk+2.0/precise/view/head:/gtk/gtkrc.c#L590
https://bazaar.launchpad.net/~ubuntu-branches/ubuntu/precise/gtk+2.0/precise-updates/view/head:/gtk/gtkrc.c#L596
https://bazaar.launchpad.net/~ubuntu-branches/ubuntu/precise/gtk+2.0/precise-proposed/view/head:/gtk/gtkrc.c#L596

Revision history for this message
Sebastien Bacher (seb128) wrote :

Thank you for your bug report, that looks like an upstream issue and should be reported on https://gitlab.gnome.org/GNOME/gtk/issues

Changed in gtk+2.0 (Ubuntu):
importance: Undecided → Low
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.