search

gtk-rs / gtk4-rs

Rust bindings of GTK 4
https://gtk-rs.org/gtk4-rs/
MIT License
1.75k stars 168 forks source link

[BUG] ` gtk4::IconView.set_drag_dest_item` cause crash #914

Open qarmin opened 2 years ago

qarmin commented 2 years ago 
System:    Host: rafalkom Kernel: 5.13.0-28-generic x86_64 bits: 64 compiler: gcc v: 11.2.0 Desktop: GNOME 40.5 
           tk: GTK 3.24.30 wm: gnome-shell dm: GDM3 Distro: Ubuntu 21.10 (Impish Indri) 
RUST_BACKTRACE=full RUSTFLAGS=-Zsanitizer=address RUSTDOCFLAGS=-Zsanitizer=address cargo run  -Zbuild-std --target x86_64-unknown-linux-gnu

Bug description

let thing = IconView::new(); // IconView
thing.set_drag_dest_item(Some(TreePath::default()).as_ref(),IconViewDropPosition::DropAbove);

cause crash:

AddressSanitizer:DEADLYSIGNAL
=================================================================
==23963==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7efced7a7a40 bp 0x62900028c320 sp 0x7ffeeb291ed0 T0)
==23963==The signal is caused by a READ memory access.
==23963==Hint: address points to the zero page.
    #0 0x7efced7a7a40  (/lib/x86_64-linux-gnu/libgtk-4.so.1+0x18ca40)
    #1 0x5627d9c367ee  (/home/rafal/Projekty/Rust/gtk_rs_fuzzer/Project/target/x86_64-unknown-linux-gnu/debug/crash_thing+0x1d117ee)
    #2 0x5627d8afbc37  (/home/rafal/Projekty/Rust/gtk_rs_fuzzer/Project/target/x86_64-unknown-linux-gnu/debug/crash_thing+0xbd6c37)
    #3 0x5627d8ae6ac5  (/home/rafal/Projekty/Rust/gtk_rs_fuzzer/Project/target/x86_64-unknown-linux-gnu/debug/crash_thing+0xbc1ac5)
    #4 0x5627d8628009  (/home/rafal/Projekty/Rust/gtk_rs_fuzzer/Project/target/x86_64-unknown-linux-gnu/debug/crash_thing+0x703009)
    #5 0x5627d85f1d05  (/home/rafal/Projekty/Rust/gtk_rs_fuzzer/Project/target/x86_64-unknown-linux-gnu/debug/crash_thing+0x6ccd05)
    #6 0x5627d85ac6ca  (/home/rafal/Projekty/Rust/gtk_rs_fuzzer/Project/target/x86_64-unknown-linux-gnu/debug/crash_thing+0x6876ca)
    #7 0x7efced22bc0e  (/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x13c0e)
    #8 0x7efced247ea5  (/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x2fea5)
    #9 0x7efced249883  (/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x31883)
    #10 0x7efced249ad2  (/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x31ad2)
    #11 0x7efced34e9d7  (/lib/x86_64-linux-gnu/libgio-2.0.so.0+0xdb9d7)
    #12 0x7efced34ebb5  (/lib/x86_64-linux-gnu/libgio-2.0.so.0+0xdbbb5)
    #13 0x5627d861da18  (/home/rafal/Projekty/Rust/gtk_rs_fuzzer/Project/target/x86_64-unknown-linux-gnu/debug/crash_thing+0x6f8a18)
    #14 0x5627d861d407  (/home/rafal/Projekty/Rust/gtk_rs_fuzzer/Project/target/x86_64-unknown-linux-gnu/debug/crash_thing+0x6f8407)
    #15 0x5627d964cb66  (/home/rafal/Projekty/Rust/gtk_rs_fuzzer/Project/target/x86_64-unknown-linux-gnu/debug/crash_thing+0x1727b66)
    #16 0x5627d983d7ba  (/home/rafal/Projekty/Rust/gtk_rs_fuzzer/Project/target/x86_64-unknown-linux-gnu/debug/crash_thing+0x19187ba)
    #17 0x5627d92fe2b4  (/home/rafal/Projekty/Rust/gtk_rs_fuzzer/Project/target/x86_64-unknown-linux-gnu/debug/crash_thing+0x13d92b4)
    #18 0x5627d928ae63  (/home/rafal/Projekty/Rust/gtk_rs_fuzzer/Project/target/x86_64-unknown-linux-gnu/debug/crash_thing+0x1365e63)
    #19 0x5627da475afd  (/home/rafal/Projekty/Rust/gtk_rs_fuzzer/Project/target/x86_64-unknown-linux-gnu/debug/crash_thing+0x2550afd)
    #20 0x5627da48428e  (/home/rafal/Projekty/Rust/gtk_rs_fuzzer/Project/target/x86_64-unknown-linux-gnu/debug/crash_thing+0x255f28e)
    #21 0x5627da48d43a  (/home/rafal/Projekty/Rust/gtk_rs_fuzzer/Project/target/x86_64-unknown-linux-gnu/debug/crash_thing+0x256843a)
    #22 0x5627da482532  (/home/rafal/Projekty/Rust/gtk_rs_fuzzer/Project/target/x86_64-unknown-linux-gnu/debug/crash_thing+0x255d532)
    #23 0x5627da22bf99  (/home/rafal/Projekty/Rust/gtk_rs_fuzzer/Project/target/x86_64-unknown-linux-gnu/debug/crash_thing+0x2306f99)
    #24 0x5627da2c953b  (/home/rafal/Projekty/Rust/gtk_rs_fuzzer/Project/target/x86_64-unknown-linux-gnu/debug/crash_thing+0x23a453b)
    #25 0x5627da48408d  (/home/rafal/Projekty/Rust/gtk_rs_fuzzer/Project/target/x86_64-unknown-linux-gnu/debug/crash_thing+0x255f08d)
    #26 0x5627da48d43a  (/home/rafal/Projekty/Rust/gtk_rs_fuzzer/Project/target/x86_64-unknown-linux-gnu/debug/crash_thing+0x256843a)
    #27 0x5627da48322b  (/home/rafal/Projekty/Rust/gtk_rs_fuzzer/Project/target/x86_64-unknown-linux-gnu/debug/crash_thing+0x255e22b)
    #28 0x5627da22c2b9  (/home/rafal/Projekty/Rust/gtk_rs_fuzzer/Project/target/x86_64-unknown-linux-gnu/debug/crash_thing+0x23072b9)
    #29 0x5627da2c8e89  (/home/rafal/Projekty/Rust/gtk_rs_fuzzer/Project/target/x86_64-unknown-linux-gnu/debug/crash_thing+0x23a3e89)
    #30 0x5627d928adc5  (/home/rafal/Projekty/Rust/gtk_rs_fuzzer/Project/target/x86_64-unknown-linux-gnu/debug/crash_thing+0x1365dc5)
    #31 0x5627d965034b  (/home/rafal/Projekty/Rust/gtk_rs_fuzzer/Project/target/x86_64-unknown-linux-gnu/debug/crash_thing+0x172b34b)
    #32 0x7efcecde7fcf  (/lib/x86_64-linux-gnu/libc.so.6+0x2dfcf)
    #33 0x7efcecde807c  (/lib/x86_64-linux-gnu/libc.so.6+0x2e07c)
    #34 0x5627d83471f4  (/home/rafal/Projekty/Rust/gtk_rs_fuzzer/Project/target/x86_64-unknown-linux-gnu/debug/crash_thing+0x4221f4)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libgtk-4.so.1+0x18ca40)

Issue found by fuzzer - https://github.com/qarmin/gtk-rs-fuzzer

sdroege commented 2 years ago

Also a bug in GTK

diff --git a/gtk/gtkiconview.c b/gtk/gtkiconview.c
index 41f824610d..f1a7ddf114 100644
--- a/gtk/gtkiconview.c
+++ b/gtk/gtkiconview.c
@@ -6390,6 +6390,7 @@ gtk_icon_view_set_drag_dest_item (GtkIconView              *icon_view,
    */

   g_return_if_fail (GTK_IS_ICON_VIEW (icon_view));
+  g_return_if_fail (GTK_IS_TREE_MODEL (icon_view->priv->model));

   if (icon_view->priv->dest_item)
     {

Is at least part of the fix but there seem to be more code in there that assumes the existence of the model.