GTK3: Heap corruption leading to crash when creating compose cache for very large/unusual Compose file
Steps to reproduce
- Set up ibus with compose functionality
- clear the GTK3 compose cache (
rm -rf ~/.cache/gtk-3.0/compose
) - Download This .XCompose file and set XCOMPOSEFILE to its location
- launch any GTK 3 application, such as the demos
The application is likely going to crash immediately or after you start entering text. I can no longer reproduce the crash after I remove the .XCompose file or comment out the following line in gtk/gtkcomposetable.c:
gtk_compose_table_save_cache (compose_table);
Version information
- GTK 3.24.33 (other versions are affected too)
- NixOS 22.05, also happens when manually building gtk (with the same configure flags)
Error messages
While aborting, glibc will output a message like “double free or corruption (!prev)” or “malloc(): unaligned tcache chunk detected”
Backtrace
(gdb) bt full
#0 0x00007ffff686dadf in __pthread_kill_implementation () from /nix/store/ayrsyv7npr0lcbann4k9lxr19x813f0z-glibc-2.34-115/lib/libc.so.6
No symbol table info available.
#1 0x00007ffff6823062 in raise () from /nix/store/ayrsyv7npr0lcbann4k9lxr19x813f0z-glibc-2.34-115/lib/libc.so.6
No symbol table info available.
#2 0x00007ffff680e45c in abort () from /nix/store/ayrsyv7npr0lcbann4k9lxr19x813f0z-glibc-2.34-115/lib/libc.so.6
No symbol table info available.
#3 0x00007ffff6862418 in __libc_message () from /nix/store/ayrsyv7npr0lcbann4k9lxr19x813f0z-glibc-2.34-115/lib/libc.so.6
No symbol table info available.
#4 0x00007ffff68770ca in malloc_printerr () from /nix/store/ayrsyv7npr0lcbann4k9lxr19x813f0z-glibc-2.34-115/lib/libc.so.6
No symbol table info available.
#5 0x00007ffff6878cec in _int_free () from /nix/store/ayrsyv7npr0lcbann4k9lxr19x813f0z-glibc-2.34-115/lib/libc.so.6
No symbol table info available.
#6 0x00007ffff687b2c1 in free () from /nix/store/ayrsyv7npr0lcbann4k9lxr19x813f0z-glibc-2.34-115/lib/libc.so.6
No symbol table info available.
#7 0x00007ffff7906b68 in gtk_compose_table_save_cache (compose_table=0x7fffd0001710) at gtkcomposetable.c:706
contents = <optimized out>
length = <optimized out>
path = 0x7fffd156fb20 "/home/darkkirb/.cache/gtk-3.0/compose/7f6d2bc1.cache"
error = 0x0
path = <optimized out>
contents = <optimized out>
error = <optimized out>
length = <optimized out>
__func__ = "gtk_compose_table_save_cache"
out_save_cache = <optimized out>
#8 gtk_compose_table_list_add_file (compose_tables=0x8fdc60, compose_file=<optimized out>) at gtkcomposetable.c:877
hash = <optimized out>
compose_table = 0x7fffd0001710
__func__ = "gtk_compose_table_list_add_file"
#9 0x00007ffff79bfd85 in gtk_im_context_simple_init_compose_table () at gtkimcontextsimple.c:191
locale = <optimized out>
langs = 0x0
lang = 0x0
sys_langs = {0x7ffff7bce198 "el_gr", 0x7ffff7bce19e "fi_fi", 0x7ffff7bce1a4 "pt_br", 0x0}
sys_lang = 0x0
x11_compose_file_dir = <optimized out>
path = 0x7fffd00011a0 "/home/darkkirb/.XCompose"
home = <optimized out>
path = <optimized out>
home = <optimized out>
locale = <optimized out>
langs = <optimized out>
lang = <optimized out>
sys_langs = <optimized out>
sys_lang = <optimized out>
x11_compose_file_dir = <optimized out>
_pp = <optimized out>
_ptr = <optimized out>
_pp = <optimized out>
_ptr = <optimized out>
_pp = <optimized out>
_ptr = <optimized out>
_pp = <optimized out>
_ptr = <optimized out>
#10 init_compose_table_thread_cb (task=<optimized out>, source_object=<optimized out>, task_data=<optimized out>, cancellable=<optimized out>) at gtkimcontextsimple.c:255
before = <optimized out>
#11 0x00007ffff73291d4 in g_task_thread_pool_thread () from /nix/store/abwcp8fsvrign29hrqrha5psz8kkc4rx-glib-2.72.0/lib/libgio-2.0.so.0
No symbol table info available.
#12 0x00007ffff715dea4 in g_thread_pool_thread_proxy () from /nix/store/abwcp8fsvrign29hrqrha5psz8kkc4rx-glib-2.72.0/lib/libglib-2.0.so.0
No symbol table info available.
#13 0x00007ffff715d5ad in g_thread_proxy () from /nix/store/abwcp8fsvrign29hrqrha5psz8kkc4rx-glib-2.72.0/lib/libglib-2.0.so.0
No symbol table info available.
#14 0x00007ffff686beb2 in start_thread () from /nix/store/ayrsyv7npr0lcbann4k9lxr19x813f0z-glibc-2.34-115/lib/libc.so.6
No symbol table info available.
#15 0x00007ffff68ee31c in clone3 () from /nix/store/ayrsyv7npr0lcbann4k9lxr19x813f0z-glibc-2.34-115/lib/libc.so.6
No symbol table info available.