gtk_accelerator_parse_with_keycode buffer over-run with specific input.
Steps to reproduce
- compile the following code:
#include <gtk/gtk.h>
int main(int argc, char** argv) {
/* this one is OK */
const char* accel0 = "<Control><Alt>>";
gtk_accelerator_parse(accel0, NULL, NULL);
/* this one crashes */
const char* accel = "<Control><Alt><";
gtk_accelerator_parse(accel, NULL, NULL);
return 0;
}
using the following command:
gcc `pkg-config gtk+-3.0 --cflags --libs` -fsanitize=address main.c -o gtk_test
It is important to have the address sanitizer.
- Run
gtk_test
compiled above - The address sanitzer is unhappy.
Version information
gtk from Fedora 31 Version : 3.24.13 Release : 1.fc31 Architecture: x86_64
Warnings
=================================================================
==571318==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000402070 at pc 0x7f41c13bbdb5 bp 0x7ffe8d10c7c0 sp 0x7ffe8d10bf68
READ of size 1 at 0x000000402070 thread T0
#0 0x7f41c13bbdb4 (/lib64/libasan.so.5+0xd6db4)
#1 0x7f41c0b102e7 in gdk_keys_name_compare gdkkeynames.c:83
#2 0x7f41c0b102e7 in _gdk_keyval_from_name /usr/include/bits/stdlib-bsearch.h:33
#3 0x7f41c0ce36b9 in gtk_accelerator_parse_with_keycode /usr/src/debug/gtk3-3.24.13-1.fc31.x86_64/gtk/gtkaccelgroup.c:1357
#4 0x4011b0 in main (/home/hub/tmp/gtk_test+0x4011b0)
#5 0x7f41c02ca1a2 in __libc_start_main ../csu/libc-start.c:308
#6 0x4010ad in _start (/home/hub/tmp/gtk_test+0x4010ad)
0x000000402070 is located 0 bytes to the right of global variable '*.LC1' defined in 'main.c' (0x402060) of size 16
'*.LC1' is ascii string '<Control><Alt><'
SUMMARY: AddressSanitizer: global-buffer-overflow (/lib64/libasan.so.5+0xd6db4)
Shadow bytes around the buggy address:
0x0000800783b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800783c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800783d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800783e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800783f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x000080078400: 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 00 00[f9]f9
0x000080078410: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
0x000080078420: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000080078430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000080078440: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000080078450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==571318==ABORTING
Backtrace
READ of size 1 at 0x000000402070 thread T0
#0 0x7f41c13bbdb4 (/lib64/libasan.so.5+0xd6db4)
#1 0x7f41c0b102e7 in gdk_keys_name_compare gdkkeynames.c:83
#2 0x7f41c0b102e7 in _gdk_keyval_from_name /usr/include/bits/stdlib-bsearch.h:33
#3 0x7f41c0ce36b9 in gtk_accelerator_parse_with_keycode /usr/src/debug/gtk3-3.24.13-1.fc31.x86_64/gtk/gtkaccelgroup.c:1357
#4 0x4011b0 in main (/home/hub/tmp/gtk_test+0x4011b0)
#5 0x7f41c02ca1a2 in __libc_start_main ../csu/libc-start.c:308
#6 0x4010ad in _start (/home/hub/tmp/gtk_test+0x4010ad)
Expected
I'd be ok with an actual error and rejected input if the entry is deemed invalid.