Ticket UUID: | 3f323bf2b42b668a5678e3ad4b5798053c949938 | |||
Title: | wm protocol crash on OSX compiled with XCode 8.3.1 | |||
Type: | Bug | Version: | all | |
Submitter: | anonymous | Created on: | 2017-04-08 13:15:05 | |
Subsystem: | 83. Mac OS X Build | Assigned To: | fvogel | |
Priority: | 5 Medium | Severity: | Critical | |
Status: | Closed | Last Modified: | 2017-04-10 18:33:17 | |
Resolution: | Fixed | Closed By: | fvogel | |
Closed on: | 2017-04-10 18:33:17 | |||
Description: |
When Tk is compiled with XCode 8.3.1, a buffer overflow check mechanism inside the compiler crashes Tk at "wm protocol". Script to reproduce: package require Tk wm protocol . WM_DELETE_WINDOW justsomething Cause: tkMacOSXWM.h defines a variable length structure with a fixed field, which trips up the overflow detector. Fix: diff -ru tk8.6/macosx/tkMacOSXWm.h tk8.6-patched/macosx/tkMacOSXWm.h --- tk8.6/macosx/tkMacOSXWm.h 2017-04-06 18:11:56.000000000 +0200 +++ tk8.6-patched/macosx/tkMacOSXWm.h 2017-04-08 15:03:44.000000000 +0200 @@ -29,7 +29,7 @@ * same top-level window, or NULL for end of * list. */ Tcl_Interp *interp; /* Interpreter in which to invoke command. */ - char command[4]; /* Tcl command to invoke when a client message + char command[]; /* Tcl command to invoke when a client message * for this protocol arrives. The actual size * of the structure varies to accommodate the * needs of the actual command. THIS MUST BE @@ -37,7 +37,7 @@ } ProtocolHandler; #define HANDLER_SIZE(cmdLength) \ -((unsigned) (sizeof(ProtocolHandler) - 3 + cmdLength)) +((unsigned) (sizeof(ProtocolHandler) + cmdLength + 1)) /* * A data structure of the following type holds window-manager-related | |||
User Comments: |
fvogel added on 2017-04-10 18:33:17:
Merged to core-8-6-branch and trunk. fvogel added on 2017-04-10 06:49:10: 1. OK, let Linux and Win be unchanged then since the code in itself is not buggy and since the existing code is C89-compatible code in case anyone needs this (just wondering who...) 2. I had a bug crashing the test suite on OS X but never had time to dig into it. Now I have checked that before your fix it crashes in wm-protocol-2.1, and it crashes with the call stack you showed me in the chat. And with your fix this does not happen anymore. I think this can now be merged. I won't wait for the usual week because I need this in other branches. Well done, many thanks again! anonymous (claiming to be auriocus) added on 2017-04-09 20:45:15: Thanks for taking a look. 1. The original code is not in itself buggy; it is just the overzealous buffer overflow detector which triggers (a false alarm). The corrected code uses a C99 feature (char[]). I don't know whether C99 is a problem on some Unix platforms - certainly on OSX it is impossible to use a compiler without C99 support. It's therefore left to the maintainers to decide for Unix/Windows. 2. To trigger the bug, the script must be longer than 4 chars, which is tested in the wm tests. I haven't checked that the test indeed triggers the bug, though. fvogel added on 2017-04-09 20:29:32: Forget to state it: the patch is in branch bug-3f323bf2b4. fvogel added on 2017-04-09 20:27:47: Thanks for the report and patch (which indeed fixes this issue). Two questions: 1. Don't we have similar issue, on Linux and on Win? 2. Should we add a testcase or do you think the existing test suite for wm is enough? |
Attachments:
- wmprotocol.patch [download] added by anonymous on 2017-04-08 13:16:39. [details]