! Please note that this is a snapshot of our old Bugzilla server, which is read only since May 29, 2020. Please go to gitlab.xfce.org for our new server !
Buffer-overflow in de keyboard plugin
Status:
CLOSED: FIXED
Priority:
Medium
Severity:
critical
Product:
Xfce4-settings
Component:
Keyboard Settings

Comments

Description Nick Schermer editbugs 2006-06-02 10:46:37 CEST 
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.3) Gecko/20060503 Firefox/1.5.0.3 (Swiftfox)
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.3) Gecko/20060503 Firefox/1.5.0.3 (Swiftfox)

There is a serious buffer overflow in the keyboard plugin. Here is the piece of code we're talking about ^_^:

shortcuts_plugin.c @ 993:
    shortcuts = g_strsplit (accelerator, "<", 0);
    current_shortcut = shortcuts;

    while (*current_shortcut)
    {
	if (strlen (*current_shortcut))
        {
	    strcat (shortcut_string, *current_shortcut);
	    strcat (shortcut_string, "+");
        }
	*current_shortcut = *current_shortcut + 1;
    }

I have no idea what this code needs todo, but i do know this doesn't fit in a gchar[80] string. After some testing i discovered the length of the string was about 51000 characters long (just before the crash) for only pressing the 'h' button...
Anyway this needs to be fixed before 4.4b2 if possible, because it crashed my laptop 1 time while debugging this leak (so probably also for other people).

gcc 4.1.1
glibc 2.4
gtk 2.8.18
glib2 2.10.3

Reproducible: Always

Steps to Reproduce:
1. Create new shortcut in the keyboard plugin
Comment 1 Nick Schermer editbugs 2006-06-02 10:49:17 CEST 
Created attachment 587 
Backtrace

I was not able to reproduse a buffer overflow report (-D_FORTIFY_SOURCE=2) without optimization flags. But even without these flags the application sigfault's
Comment 2 Olivier Fourdan editbugs 2006-06-02 20:39:51 CEST 
The same code is duplicated in the keyboard shortcuts editor and in the xfwm4 shortcut editor. I'm not sure what it's for as there was an ugly bug (the -in-famous "*current_shortcut++" bug) and that did not seem to be ever triggered until gcc complained and we fixed it.

However, since noone else seems to be able to trigger the bug (as noone complained so far), I think it's also interesting to attach the shortcut definition file too in case.
Comment 3 Jean-François Wauthy editbugs 2006-06-02 20:59:34 CEST 
i started looking into this one but the (*current_shorcut)++ seems right to me since the string array is null terminated, i'll try to convert shortcut_string in a dynamic string but i remember i did that in the first version but had unexplicated crashes

unfortunately i miss time (exams) and can only spare 1 or 2 hours every evening
Comment 4 Nick Schermer editbugs 2006-06-02 22:36:46 CEST 
Ok the shortcut plugin in xfwm4 works fine, just a small typo.
Comment 5 Nick Schermer editbugs 2006-06-02 22:37:52 CEST 
Created attachment 589 
Buffer overflow fix

Try it the xfwm4 way :)
Comment 6 Olivier Fourdan editbugs 2006-06-03 12:13:26 CEST 
Commited. I should have paid more attention to that when fixing it in xfwm4... Sorry. Thanks for spotting it ;)
Comment 7 Nick Schermer editbugs 2006-06-03 15:19:32 CEST 
Maybe it's usefull to add a comment in both script, so you never forget this piece of code is also used in the other plugin?

Anyway it's fixed so i close this bug.

Bug #1885

Reported by:
Nick Schermer
Reported on: 2006-06-02
Last modified on: 2009-07-15

People

Assignee:
Jannis Pohlmann
CC List:
2 users

Version

Version:
unspecified
Target Milestone:
Xfce 4.6

Attachments

Backtrace (15.70 KB, text/plain)
2006-06-02 10:49 CEST , Nick Schermer 		no flags
Buffer overflow fix (543 bytes, patch)
2006-06-02 22:37 CEST , Nick Schermer 		no flags

Additional information