| [ Return to Bugs & Features | Roadmap 1.3 | SVN ⇄ GIT ]
STR #3275
Application: | FLTK Library |
Status: | 1 - Closed w/Resolution |
Priority: | 4 - High, e.g. key functionality not working |
Scope: | 3 - Applies to all machines and operating systems |
Subsystem: | Core Library |
Summary: | Fl_Help_View stack corruption |
Version: | 1.3.3 |
Created By: | kub |
Assigned To: | AlbrechtS |
Fix Version: | 1.3.4 (SVN: v11746) |
Fix Commit: | ccf3681097763b8246d314d73cfee6dffdddaf86 |
Update Notification: | |
Trouble Report Files:
Trouble Report Comments:
|
| opening long texts in Fl_Help_View causes stack corruption in draw() member. This bug is always repeatable. The buf[1024] array is allocated on the stack and thus valgrind gives few no errors. Changing buf to a malloc'ed heap variable makes the bug visible in valgrind.
Please find attached a workaround patch which checks the actual Fl_Help_Block size and realloc's the buf accordingly. This fixes the crashes. | |
|
#2 | AlbrechtS 03:21 Jan 15, 2016 |
| Thanks for the report - but unfortunately I can't find your announced patch. Could you please upload the patch? ("Post file"). | |
|
| ping - patch was attached | |
|
#4 | AlbrechtS 03:51 Jan 22, 2016 |
| Yep, thanks for the patch, and sorry, I'm too busy with other development.
The patch is short, looks good at a first glance, and priority is "high" - hence it won't be forgotten before the release of 1.3.4. | |
|
#5 | chris 11:04 Jan 25, 2016 |
| Could you please specify more cleary what triggers a stack overflow or even give a sample html that inhibits the overflow? Is it just having more than 1024 characters in a paragraph? Thanks. | |
|
| In my case it is just longer text. wc -c says 15431 | |
|
#7 | chris 11:48 Jan 25, 2016 |
| Well I can't reproduce with a text containing more than 30000 characters using the help program from test folder. I mean, it should crash, shouldn't it? But it displays just fine and exits normally. | |
|
| Sorry, can't reproduce any more. Should have created a programm for demo instantly. | |
|
#9 | AlbrechtS 15:47 Feb 08, 2016 |
| Good news: I found a reproducer. It took a while staring at the code to find out what's going on.
I'm working on a fix. Unfortunately it is not as simple as the provided patch for several reasons. It is not alone the length of the file that matters - it is the length of internal "blocks" and can even be worse if the html file uses long lines with many tabs (tabs are expanded, and this renders the size calculation in the posted patch useless).
There are some places in the code where the internal buffer size is checke (text truncated), but (many) other places where it is not checked.
More to come... | |
|
#10 | AlbrechtS 09:46 May 17, 2016 |
| Fixed in Subversion repository.
svn r 11745 works _much_ better than the previous one:
- fixed buffer overflow ("stack corruption")
While I was at it I found some other minor bugs and fixed these as well:
- fixed potential long text truncation - fixed tab formatting at line start or any line offset divisible by 8
Please test and report success or any new issues you may find.
This STR is considered resolved and will be closed soon if no new issues related to the original problem or the fixes will be reported. | |
|
#11 | AlbrechtS 14:15 Feb 22, 2023 |
| Changed svn revision 11745 to 11746, added Git commit ccf3681097763b8246d314d73cfee6dffdddaf86 | |
[ Return to Bugs & Features ]
|
| |