search

gtk-rs / gtk4-rs

Rust bindings of GTK 4
https://gtk-rs.org/gtk4-rs/
MIT License
1.82k stars 170 forks source link

[BUG] ` gtk4::EditableLabel.chars` cause crash #895

Open qarmin opened 2 years ago

qarmin commented 2 years ago 
System:    Host: rafalkom Kernel: 5.13.0-28-generic x86_64 bits: 64 compiler: gcc v: 11.2.0 Desktop: GNOME 40.5 
           tk: GTK 3.24.30 wm: gnome-shell dm: GDM3 Distro: Ubuntu 21.10 (Impish Indri) 
RUST_BACKTRACE=full RUSTFLAGS=-Zsanitizer=address RUSTDOCFLAGS=-Zsanitizer=address cargo run  -Zbuild-std --target x86_64-unknown-linux-gnu

Bug description

let object_291 = EditableLabel::new(&"-60317"); // EditableLabel
object_291.chars(-47668,94511);

cause crash:

=================================================================
==71176==ERROR: AddressSanitizer: heap-use-after-free on address 0x6020001a08b2 at pc 0x561209be2ced bp 0x7ffe79f24f20 sp 0x7ffe79f246d8
READ of size 1 at 0x6020001a08b2 thread T0
    #0 0x561209be2cec  (/home/rafal/Desktop/Untitled Folder/Project/target/x86_64-unknown-linux-gnu/debug/crash_thing+0x2eecec)
    #1 0x7faafac6601b  (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x7301b)
    #2 0x561209c1f10c  (/home/rafal/Desktop/Untitled Folder/Project/target/x86_64-unknown-linux-gnu/debug/crash_thing+0x32b10c)
    #3 0x561209c21b04  (/home/rafal/Desktop/Untitled Folder/Project/target/x86_64-unknown-linux-gnu/debug/crash_thing+0x32db04)
    #4 0x561209c1b707  (/home/rafal/Desktop/Untitled Folder/Project/target/x86_64-unknown-linux-gnu/debug/crash_thing+0x327707)
    #5 0x561209c1aa6a  (/home/rafal/Desktop/Untitled Folder/Project/target/x86_64-unknown-linux-gnu/debug/crash_thing+0x326a6a)
    #6 0x7faafad3cc0e  (/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x13c0e)
    #7 0x7faafad58ea5  (/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x2fea5)
    #8 0x7faafad5a883  (/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x31883)
    #9 0x7faafad5aad2  (/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x31ad2)
    #10 0x7faafae5f9d7  (/lib/x86_64-linux-gnu/libgio-2.0.so.0+0xdb9d7)
    #11 0x7faafae5fbb5  (/lib/x86_64-linux-gnu/libgio-2.0.so.0+0xdbbb5)
    #12 0x561209c1c168  (/home/rafal/Desktop/Untitled Folder/Project/target/x86_64-unknown-linux-gnu/debug/crash_thing+0x328168)
    #13 0x561209c1bb57  (/home/rafal/Desktop/Untitled Folder/Project/target/x86_64-unknown-linux-gnu/debug/crash_thing+0x327b57)
    #14 0x561209c216c6  (/home/rafal/Desktop/Untitled Folder/Project/target/x86_64-unknown-linux-gnu/debug/crash_thing+0x32d6c6)
    #15 0x561209c236aa  (/home/rafal/Desktop/Untitled Folder/Project/target/x86_64-unknown-linux-gnu/debug/crash_thing+0x32f6aa)
    #16 0x561209c20a04  (/home/rafal/Desktop/Untitled Folder/Project/target/x86_64-unknown-linux-gnu/debug/crash_thing+0x32ca04)
    #17 0x561209c1cd73  (/home/rafal/Desktop/Untitled Folder/Project/target/x86_64-unknown-linux-gnu/debug/crash_thing+0x328d73)
    #18 0x56120a4351bd  (/home/rafal/Desktop/Untitled Folder/Project/target/x86_64-unknown-linux-gnu/debug/crash_thing+0xb411bd)
    #19 0x56120a4432ae  (/home/rafal/Desktop/Untitled Folder/Project/target/x86_64-unknown-linux-gnu/debug/crash_thing+0xb4f2ae)
    #20 0x56120a44c45a  (/home/rafal/Desktop/Untitled Folder/Project/target/x86_64-unknown-linux-gnu/debug/crash_thing+0xb5845a)
    #21 0x56120a441552  (/home/rafal/Desktop/Untitled Folder/Project/target/x86_64-unknown-linux-gnu/debug/crash_thing+0xb4d552)
    #22 0x56120a1f3869  (/home/rafal/Desktop/Untitled Folder/Project/target/x86_64-unknown-linux-gnu/debug/crash_thing+0x8ff869)
    #23 0x56120a2908db  (/home/rafal/Desktop/Untitled Folder/Project/target/x86_64-unknown-linux-gnu/debug/crash_thing+0x99c8db)
    #24 0x56120a4430ad  (/home/rafal/Desktop/Untitled Folder/Project/target/x86_64-unknown-linux-gnu/debug/crash_thing+0xb4f0ad)
    #25 0x56120a44c45a  (/home/rafal/Desktop/Untitled Folder/Project/target/x86_64-unknown-linux-gnu/debug/crash_thing+0xb5845a)
    #26 0x56120a44224b  (/home/rafal/Desktop/Untitled Folder/Project/target/x86_64-unknown-linux-gnu/debug/crash_thing+0xb4e24b)
    #27 0x56120a1f3b89  (/home/rafal/Desktop/Untitled Folder/Project/target/x86_64-unknown-linux-gnu/debug/crash_thing+0x8ffb89)
    #28 0x56120a290229  (/home/rafal/Desktop/Untitled Folder/Project/target/x86_64-unknown-linux-gnu/debug/crash_thing+0x99c229)
    #29 0x561209c1ccd5  (/home/rafal/Desktop/Untitled Folder/Project/target/x86_64-unknown-linux-gnu/debug/crash_thing+0x328cd5)
    #30 0x561209c21d9b  (/home/rafal/Desktop/Untitled Folder/Project/target/x86_64-unknown-linux-gnu/debug/crash_thing+0x32dd9b)
    #31 0x7faafa8f8fcf  (/lib/x86_64-linux-gnu/libc.so.6+0x2dfcf)
    #32 0x7faafa8f907c  (/lib/x86_64-linux-gnu/libc.so.6+0x2e07c)
    #33 0x561209b881e4  (/home/rafal/Desktop/Untitled Folder/Project/target/x86_64-unknown-linux-gnu/debug/crash_thing+0x2941e4)

0x6020001a08b2 is located 2 bytes inside of 16-byte region [0x6020001a08b0,0x6020001a08c0)
freed by thread T0 here:
    #0 0x561209bf6792  (/home/rafal/Desktop/Untitled Folder/Project/target/x86_64-unknown-linux-gnu/debug/crash_thing+0x302792)
    #1 0x7faafb42ec7d  (/lib/x86_64-linux-gnu/libgtk-4.so.1+0x302c7d)

previously allocated by thread T0 here:
    #0 0x561209bf6a72  (/home/rafal/Desktop/Untitled Folder/Project/target/x86_64-unknown-linux-gnu/debug/crash_thing+0x302a72)
    #1 0x7faafac515b0  (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5e5b0)

SUMMARY: AddressSanitizer: heap-use-after-free (/home/rafal/Desktop/Untitled Folder/Project/target/x86_64-unknown-linux-gnu/debug/crash_thing+0x2eecec) 
Shadow bytes around the buggy address:
  0x0c048002c0c0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa 00 00
  0x0c048002c0d0: fa fa 00 00 fa fa 00 00 fa fa fd fd fa fa fd fd
  0x0c048002c0e0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c048002c0f0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c048002c100: fa fa fd fd fa fa fd fd fa fa 00 00 fa fa 00 00
=>0x0c048002c110: fa fa fd fd fa fa[fd]fd fa fa fd fd fa fa fd fd
  0x0c048002c120: fa fa fd fd fa fa 00 00 fa fa fd fd fa fa fd fd
  0x0c048002c130: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c048002c140: fa fa fd fd fa fa fd fd fa fa fd fd fa fa 00 07
  0x0c048002c150: fa fa fd fd fa fa fd fd fa fa 00 07 fa fa fd fd
  0x0c048002c160: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==71176==ABORTING

Issue found by fuzzer - https://github.com/qarmin/gtk-rs-fuzzer

sdroege commented 2 years ago 
==98018== Conditional jump or move depends on uninitialised value(s)
==98018==    at 0x555BC7B: g_utf8_offset_to_pointer (gutf8.c:371)
==98018==    by 0x555BC7B: g_utf8_offset_to_pointer (gutf8.c:351)
==98018==    by 0x4A2B177: gtk_editable_get_chars (gtkeditable.c:573)
==98018==    by 0x11160C: <O as gtk4::auto::editable::EditableExt>::chars (editable.rs:181)
==98018==    by 0x11146E: foo::main (main.rs:10)
==98018==    by 0x11159A: core::ops::function::FnOnce::call_once (function.rs:227)
==98018==    by 0x11163D: std::sys_common::backtrace::__rust_begin_short_backtrace (backtrace.rs:123)
==98018==    by 0x111730: std::rt::lang_start::{{closure}} (rt.rs:145)
==98018==    by 0x12950A: std::rt::lang_start_internal (function.rs:259)
==98018==    by 0x1116FF: std::rt::lang_start (rt.rs:144)
==98018==    by 0x1114DB: main (in /home/slomo/Projects/rust/gtk-rs/gtk4-rs/target/debug/foo)
==98018==  Uninitialised value was created by a heap allocation
==98018==    at 0x483F7B5: malloc (vg_replace_malloc.c:381)
==98018==    by 0x552DDB8: g_malloc (gmem.c:106)
==98018==    by 0x48AD9FB: g_signal_newv (gsignal.c:1781)
==98018==    by 0x48ADF72: g_signal_new_valist (gsignal.c:1983)
==98018==    by 0x48AE0D0: g_signal_new (gsignal.c:1512)
==98018==    by 0x4A3C35F: gtk_event_controller_key_class_init (gtkeventcontrollerkey.c:244)
==98018==    by 0x4A3C35F: gtk_event_controller_key_class_intern_init (gtkeventcontrollerkey.c:69)
==98018==    by 0x48B6CB7: type_class_init_Wm (gtype.c:2297)
==98018==    by 0x48B6CB7: g_type_class_ref (gtype.c:3012)
==98018==    by 0x48A0217: g_object_new_with_properties (gobject.c:2078)
==98018==    by 0x48A0BB0: g_object_new (gobject.c:1779)
==98018==    by 0x4B51598: gtk_text_init (gtktext.c:1941)
==98018==    by 0x48B8B19: g_type_create_instance (gtype.c:1929)
==98018==    by 0x489ECBC: g_object_new_internal (gobject.c:1939)

[...]

==98018== Invalid read of size 1
==98018==    at 0x4845AEB: strncpy (vg_replace_strmem.c:599)
==98018==    by 0x5547E97: UnknownInlinedFun (string_fortified.h:95)
==98018==    by 0x5547E97: g_strndup (gstrfuncs.c:462)
==98018==    by 0x11160C: <O as gtk4::auto::editable::EditableExt>::chars (editable.rs:181)
==98018==    by 0x11146E: foo::main (main.rs:10)
==98018==    by 0x11159A: core::ops::function::FnOnce::call_once (function.rs:227)
==98018==    by 0x11163D: std::sys_common::backtrace::__rust_begin_short_backtrace (backtrace.rs:123)
==98018==    by 0x111730: std::rt::lang_start::{{closure}} (rt.rs:145)
==98018==    by 0x12950A: std::rt::lang_start_internal (function.rs:259)
==98018==    by 0x1116FF: std::rt::lang_start (rt.rs:144)
==98018==    by 0x1114DB: main (in /home/slomo/Projects/rust/gtk-rs/gtk4-rs/target/debug/foo)

Bug in GTK it seems. Seems to end up working with invalid pointers somewhere.