Closed pjbroad closed 3 years ago
Will take a look, probably not today though. I haven't been able to reproduce it yet, from your post I think that this was a one-time crash for you as well, am I correct? Or are you able to crash it reliably? Did it crash immediately upon opening the the tab, or were you moving the mouse cursor over an input field or something?
EDIT: also: did you change anything in the global variables in elconfig.c? I'm thinking about the "54 bytes to the left of global variable 'isometric'" and "0 bytes to the right of global variable 'lang'" part. Even when aligning int
s to 8 bytes the math there doesn't completely add up. Of course the compiler can do what it wants, I just wonder.
Thanks. I cannot reproduce it. I'm pretty sure the crash happened while scrolling the page. My changes have not altered elconfig.c other than move a #def to another module. The extent of my investigation was looking at the code around the cursor handling but I could not see anything obvious.
I have pushed a few changes that will fix a few possible buffer overruns in elconfig, but not for the language option: the declared buffer size was 10 bytes, an the size given in add_var()
was 8 bytes, so even if change_string()
would put a terminator after the 8'th byte, it would be stored inside the buffer. The handling of string buffers in the options is now more in line with the rest of the client though, with the terminator being included in the character count.
Still looking what might have gone wrong...
Found it. While scrolling you probably click in the small space between the border and the the first character in the field by accident.
Nicely done! Thanks very much. Closing as fixed by 081c66b
I experienced a buffer-overflow crash while switching to the "Server" tab of options. I think it was the first time viewing the tab. I've so far been unable to trace the problem so posting here in case someone else can find it. I'm working on a patch that does not touch most of this code but has inserted a function into elwindows.c so those line numbers are off compared to git latest but its the obvious widget calling code. My lang string is set to "en".
Here's the output from the address sanitizer: