heap-buffer-overflow in gdk_event_copy when using two input devices with different numbers of axes
Steps to reproduce
- Add an event handler to a custom widget and copy(reference) the event in this handler. (Such an application would be xournalpp for example.)
- compile the app with
CXXFLAGS=-stdlib=libstdc++ -g -O1 -fsanitize=address -fsanitize=undefined -fno-omit-frame-pointer
. - try to draw with a stylus and touch the tablet with a hand or move the mouse at the same time.
- Application will quit (because of ASAN detected a heap-buffer-overflow)
Current behavior
The Application quits, because a heap-buffer-overflow occurs
Expected outcome
Of cause no heap-buffer-overflow
Version information
libgtk-3-0 v.3.22.30-1ubuntu4 libgtk-3-dev v.3.22.30-1ubuntu4
Linux Mint 19.03 Linux Mint 18.03
Additional information
- Happens, when using 2 different devices with an different axis count
- The
GdkEventType
of the copy fromGdkEvent
is alwaysGDK_MOTION_NOTIFY
- The Device associated with that Event is a
GDK_SOURCE_MOUSE
but it shares some of the options with myGDK_SOURCE_PEN
device. - The device always represents the Master Device named "Virtual core pointer"
- The device has 6 axes in my case:
(GDK_AXIS_FLAG_X | GDK_AXIS_FLAG_Y | GDK_AXIS_FLAG_PRESSURE | GDK_AXIS_FLAG_XTILT | GDK_AXIS_FLAG_YTILT | GDK_AXIS_FLAG_WHEEL)
- The Events field
axes
is allocated with only 3 or 4 fields. - To copy the event, the size defined in the device is used.
For me it seems like, that either the wrong device is assigned to the Event. Or that the Device itself is wrong. Or the wrong device is used to create that event.
I also found out, that I get a belated/postponed event to the previous device action after switching devices.
It is also everytime a GDK_MOTION_NOTIFY
maybe this is related.
Our event mask is:
int mask = GDK_KEY_PRESS_MASK | GDK_SCROLL_MASK |
GDK_TOUCH_MASK | GDK_POINTER_MOTION_MASK | GDK_BUTTON_PRESS_MASK | GDK_BUTTON_RELEASE_MASK |
GDK_SMOOTH_SCROLL_MASK | GDK_ENTER_NOTIFY_MASK | GDK_LEAVE_NOTIFY_MASK | GDK_PROXIMITY_IN_MASK |
GDK_PROXIMITY_OUT_MASK;
Stacktrace of gdb after the error is detected:
Breakpoint reached: __asan::ReportGenericError
Stack:
__asan::ReportGenericError(unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long, unsigned int, bool) 0x0000000000554804
memcpy 0x00000000004ed653
g_memdup 0x00007f399360d46a
gdk_event_copy 0x00007f39929dbf90
_gtk_gesture_update_point 0x00007f3992e80bee
gtk_gesture_handle_event 0x00007f3992e81245
gtk_gesture_single_handle_event 0x00007f3992e83f5e
gtk_event_controller_handle_event 0x00007f3992e51721
_gtk_widget_run_controllers 0x00007f399301126b
_gtk_widget_captured_event 0x00007f39930156d7
propagate_event_down 0x00007f3992ec88db
propagate_event 0x00007f3992ec88db
_gtk_propagate_captured_event 0x00007f3992eca7a7
gtk_main_do_event 0x00007f3992eca7a7
_gdk_event_emit 0x00007f39929db765
gdk_event_source_dispatch 0x00007f3992a0bf92
g_main_context_dispatch 0x00007f39935ee417
<unknown> 0x00007f39935ee650
g_main_loop_run 0x00007f39935ee962
gtk_main 0x00007f3992ec9a25
XournalMain::run XournalMain.cpp:379
main Xournalpp.cpp:42
__libc_start_main 0x00007f398e901b97
_start 0x00000000004d6b1a
The bug is also tracked by https://github.com/xournalpp/xournalpp/issues/1507
Edited by Fabian Keßler