Public bug reported: In all repositories there is a buffer-overrun in the function gtk_rc_add_default_file(), where if the dynamic array gtk_rc_default_files has exactly max_default_files entries, a NULL will be written past the allocated memory. The resize function does not resize the null terminated array in this case, and address sanitizer (and valgrind) detects a memory access violation in any code leading to this function.
The following code is in error ( from https://bazaar.launchpad.net/~ubuntu-branches/ubuntu/precise/gtk+2.0/precise-proposed/view/head:/gtk/gtkrc.c#L596 ) {{{ for (n = 0; n < max_default_files; n++) { if (gtk_rc_default_files[n] == NULL) break; } if (n == max_default_files) { max_default_files += 10; gtk_rc_default_files = g_renew (gchar*, gtk_rc_default_files, max_default_files); } gtk_rc_default_files[n++] = g_strdup (filename); gtk_rc_default_files[n] = NULL; }}} Proposed modified implementation is as follows: {{{ for (n = 0; n < (max_default_files-1); n++) { if (gtk_rc_default_files[n] == NULL) break; } if (n >= (max_default_files-1)) { max_default_files += 10; gtk_rc_default_files = g_renew (gchar*, gtk_rc_default_files, max_default_files); } gtk_rc_default_files[n++] = g_strdup (filename); gtk_rc_default_files[n] = NULL; }}} This implementation should be changed in all branches: https://bazaar.launchpad.net/~ubuntu-branches/ubuntu/trusty/gtk+2.0/trusty/view/head:/gtk/gtkrc.c#L569 https://bazaar.launchpad.net/~ubuntu-branches/ubuntu/trusty/gtk+2.0/trusty-updates/view/head:/gtk/gtkrc.c#L569 https://bazaar.launchpad.net/~ubuntu-branches/ubuntu/trusty/gtk+2.0/trusty-proposed/view/head:/gtk/gtkrc.c#L569 https://bazaar.launchpad.net/~ubuntu-branches/ubuntu/precise/gtk+2.0/precise/view/head:/gtk/gtkrc.c#L590 https://bazaar.launchpad.net/~ubuntu-branches/ubuntu/precise/gtk+2.0/precise-updates/view/head:/gtk/gtkrc.c#L596 https://bazaar.launchpad.net/~ubuntu-branches/ubuntu/precise/gtk+2.0/precise-proposed/view/head:/gtk/gtkrc.c#L596 ** Affects: gtk+2.0 (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to gtk+2.0 in Ubuntu. https://bugs.launchpad.net/bugs/1760240 Title: Write past end of buffer in gtk/gtkrc.c gtk_rc_add_default_file Status in gtk+2.0 package in Ubuntu: New Bug description: In all repositories there is a buffer-overrun in the function gtk_rc_add_default_file(), where if the dynamic array gtk_rc_default_files has exactly max_default_files entries, a NULL will be written past the allocated memory. The resize function does not resize the null terminated array in this case, and address sanitizer (and valgrind) detects a memory access violation in any code leading to this function. The following code is in error ( from https://bazaar.launchpad.net/~ubuntu-branches/ubuntu/precise/gtk+2.0/precise-proposed/view/head:/gtk/gtkrc.c#L596 ) {{{ for (n = 0; n < max_default_files; n++) { if (gtk_rc_default_files[n] == NULL) break; } if (n == max_default_files) { max_default_files += 10; gtk_rc_default_files = g_renew (gchar*, gtk_rc_default_files, max_default_files); } gtk_rc_default_files[n++] = g_strdup (filename); gtk_rc_default_files[n] = NULL; }}} Proposed modified implementation is as follows: {{{ for (n = 0; n < (max_default_files-1); n++) { if (gtk_rc_default_files[n] == NULL) break; } if (n >= (max_default_files-1)) { max_default_files += 10; gtk_rc_default_files = g_renew (gchar*, gtk_rc_default_files, max_default_files); } gtk_rc_default_files[n++] = g_strdup (filename); gtk_rc_default_files[n] = NULL; }}} This implementation should be changed in all branches: https://bazaar.launchpad.net/~ubuntu-branches/ubuntu/trusty/gtk+2.0/trusty/view/head:/gtk/gtkrc.c#L569 https://bazaar.launchpad.net/~ubuntu-branches/ubuntu/trusty/gtk+2.0/trusty-updates/view/head:/gtk/gtkrc.c#L569 https://bazaar.launchpad.net/~ubuntu-branches/ubuntu/trusty/gtk+2.0/trusty-proposed/view/head:/gtk/gtkrc.c#L569 https://bazaar.launchpad.net/~ubuntu-branches/ubuntu/precise/gtk+2.0/precise/view/head:/gtk/gtkrc.c#L590 https://bazaar.launchpad.net/~ubuntu-branches/ubuntu/precise/gtk+2.0/precise-updates/view/head:/gtk/gtkrc.c#L596 https://bazaar.launchpad.net/~ubuntu-branches/ubuntu/precise/gtk+2.0/precise-proposed/view/head:/gtk/gtkrc.c#L596 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gtk+2.0/+bug/1760240/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
