Package: libgtk-3-0
Version: 3.14.5-1+deb8u1
Severity: normal
Tags: upstream jessie patch fixed-upstream
Dear Maintainer,
While running wireshark from jessie-backports with GTK+ Inspector
enabled (`GTK_DEBUG=interactive wireshark-gtk`) I got large number of
(wireshark-gtk:3784): Gtk-WARNING **:
/build/gtk+3.0-b165l9/gtk+3.0-3.14.5/./gtk/gtktreestore.c:1042: Invalid
column number -150702538 added to iter (remember to end your list of
columns with a -1)
GDB backtrace from g_log attached.
This seems comes from type mismatch in
gtk/inspector/recource-list.{c,ui}: resource-list.ui declares last
column as guint64,
but resource-list.c uses gsize (32-bit on 32-bit architectures).
This results in above warning, out-of-buffer stack read inside
gtk_tree_model_set (likely harmless except for leaking 4 bytes from
stack on little-endian, but up to crash/DoS on big-endian), and
out-of-buffer stack write in gtk_tree_model_get.
I doubt it is practically exploitable, but you can never be sure.
See upstream patch "inspector: be careful about gsize vs guint64"
(extracted from
https://mail.gnome.org/archives/commits-list/2015-January/msg02295.html
and attached below; it seems it was already included in stretch/sid version)
This patch seems also was included in gtk+-3.14.7 (btw, WTF upstream
*stable* patches are not *automatically* shipped with [at least] point
releases??? many crash bugs are potential security issues (even if not
explicitly marked as such by upstream devs), and it is extremely
annoying to debug issue only to discover it was already fixed in
upstream *stable* branch years ago :-\).
-- System Information:
Debian Release: 8.6
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable'), (100,
'proposed-updates')
Architecture: i386 (x86_64)
Foreign Architectures: amd64
Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=ru_RU.KOI8-R, LC_CTYPE=ru_RU.KOI8-R (charmap=KOI8-R)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages libgtk-3-0 depends on:
ii libatk-bridge2.0-0 2.14.0-2
ii libatk1.0-0 2.14.0-1
ii libc6 2.19-18+deb8u6
ii libcairo-gobject2 1.14.0-2.1+deb8u1
ii libcairo2 1.14.0-2.1+deb8u1
ii libcolord2 1.2.1-1+b2
ii libcups2 1.7.5-11+deb8u1
ii libfontconfig1 2.11.0-6.3+deb8u1
ii libfreetype6 2.5.2-3+deb8u1
ii libgdk-pixbuf2.0-0 2.31.1-2+deb8u5
ii libglib2.0-0 2.42.1-1+b1
ii libgtk-3-common 3.14.5-1+deb8u1
ii libjson-glib-1.0-0 1.0.2-1
ii libpango-1.0-0 1.36.8-3
ii libpangocairo-1.0-0 1.36.8-3
ii libpangoft2-1.0-0 1.36.8-3
ii librest-0.7-0 0.7.92-3
ii libsoup2.4-1 2.48.0-1
ii libwayland-client0 1.6.0-2
ii libwayland-cursor0 1.6.0-2
ii libx11-6 2:1.6.2-3
ii libxcomposite1 1:0.4.4-1
ii libxcursor1 1:1.1.14-1+b1
ii libxdamage1 1:1.1.4-2+b1
ii libxext6 2:1.3.3-1
ii libxfixes3 1:5.0.1-2+b2
ii libxi6 2:1.7.4-1+b2
ii libxinerama1 2:1.1.3-1+b1
ii libxkbcommon0 0.4.3-2
ii libxml2 2.9.1+dfsg1-5+deb8u3
ii libxrandr2 2:1.4.2-1+b1
ii multiarch-support 2.19-18+deb8u6
ii shared-mime-info 1.3-1
Versions of packages libgtk-3-0 recommends:
ii hicolor-icon-theme 0.13-1
ii libgtk-3-bin 3.14.5-1+deb8u1
Versions of packages libgtk-3-0 suggests:
ii gvfs 1.22.2-1
ii librsvg2-common 2.40.5-1+deb8u2
-- no debconf information
(gdb) bt
#0 g_log (log_domain=0xf7b89263 "Gtk", log_level=G_LOG_LEVEL_WARNING,
format=0xf7bc84bc "%s: Invalid column number %d added to iter (remember to
end your list of columns with a -1)")
at /build/glib2.0-3vWc1h/glib2.0-2.42.1/./glib/gmessages.c:1075
#1 0xf7afefa7 in gtk_tree_store_set_valist_internal (
tree_store=tree_store@entry=0x56a1d300, iter=iter@entry=0xffffcc7c,
emit_signal=0xffffcbd4, maybe_need_sort=0xffffcbd8,
var_args=0xffffcc40
"ÐÛV|ÍÿÿÐÛV|Ìÿÿè1±VüÌÿÿà\030VôÌÿÿøÌÿÿxÌÿÿtÌÿÿ\030g°V°®V\001") at
/build/gtk+3.0-b165l9/gtk+3.0-3.14.5/./gtk/gtktreestore.c:1042
#2 0xf7b006ca in gtk_tree_store_set_valist (tree_store=0x56a1d300,
iter=0xffffcc7c, var_args=0xffffcc28 "\002")
at /build/gtk+3.0-b165l9/gtk+3.0-3.14.5/./gtk/gtktreestore.c:1144
#3 0xf7b00754 in gtk_tree_store_set (tree_store=0x56a1d300, iter=0xffffcc7c)
at /build/gtk+3.0-b165l9/gtk+3.0-3.14.5/./gtk/gtktreestore.c:1186
#4 0xf7b84bbe in load_resources_recurse (sl=sl@entry=0x569e8428,
parent=parent@entry=0xffffccfc, path=0x568818e0 "/org/wireshark/image/",
count_out=0xffffccf4, size_out=0xffffccf8)
at /build/gtk+3.0-b165l9/gtk+3.0-3.14.5/./gtk/inspector/resource-list.c:100
#5 0xf7b84b99 in load_resources_recurse (sl=sl@entry=0x569e8428,
parent=parent@entry=0xffffcd7c, path=0x56afb9b0 "/org/wireshark/",
count_out=0xffffcd74, size_out=0xffffcd78)
at /build/gtk+3.0-b165l9/gtk+3.0-3.14.5/./gtk/inspector/resource-list.c:92
#6 0xf7b84b99 in load_resources_recurse (sl=sl@entry=0x569e8428,
---Type <return> to continue, or q <return> to quit---
parent=parent@entry=0xffffcdfc, path=0x56ab9d50 "/org/",
count_out=0xffffcdf4, size_out=0xffffcdf8)
at /build/gtk+3.0-b165l9/gtk+3.0-3.14.5/./gtk/inspector/resource-list.c:92
#7 0xf7b84b99 in load_resources_recurse (sl=sl@entry=0x569e8428,
parent=parent@entry=0x0, path=0xf7b9d80c "/", count_out=0xffffce44,
size_out=0xffffce48)
at /build/gtk+3.0-b165l9/gtk+3.0-3.14.5/./gtk/inspector/resource-list.c:92
#8 0xf7b84d0e in load_resources (sl=0x569e8428)
at /build/gtk+3.0-b165l9/gtk+3.0-3.14.5/./gtk/inspector/resource-list.c:225
#9 gtk_inspector_resource_list_init (sl=0x569e8428)
at /build/gtk+3.0-b165l9/gtk+3.0-3.14.5/./gtk/inspector/resource-list.c:233
#10 0xf738b940 in g_type_create_instance (type=1451168256)
at /build/glib2.0-3vWc1h/glib2.0-2.42.1/./gobject/gtype.c:1865
#11 0xf736d9d6 in g_object_new_internal (class=0xf7b89263,
class@entry=0x56b11388, params=0x1, params@entry=0x0, n_params=0)
at /build/glib2.0-3vWc1h/glib2.0-2.42.1/./gobject/gobject.c:1774
#12 0xf736f4a6 in g_object_newv (object_type=1451168256, n_parameters=0,
parameters=0x0)
at /build/glib2.0-3vWc1h/glib2.0-2.42.1/./gobject/gobject.c:1922
#13 0xf78f7538 in _gtk_builder_construct (builder=0x568ca638, info=0x56816ca0,
error=0xffffd0e8)
at /build/gtk+3.0-b165l9/gtk+3.0-3.14.5/./gtk/gtkbuilder.c:708
#14 0xf78f83a0 in builder_construct (object_info=0x56816ca0, error=0xffffd0e8,
---Type <return> to continue, or q <return> to quit---
data=<optimized out>)
at /build/gtk+3.0-b165l9/gtk+3.0-3.14.5/./gtk/gtkbuilderparser.c:197
#15 0xf78fa4f8 in end_element (context=0x56b0fb40,
element_name=0x5687f600 "object", user_data=0x56879a88, error=0xffffd0e8)
at /build/gtk+3.0-b165l9/gtk+3.0-3.14.5/./gtk/gtkbuilderparser.c:1198
#16 0xf727d611 in emit_end_element (context=0x56848b38, error=0xffffd1e8)
at /build/glib2.0-3vWc1h/glib2.0-2.42.1/./glib/gmarkup.c:1084
#17 0xf727e101 in g_markup_parse_context_parse (context=0x56848b38,
text=0x56856da0 "@çV\006", text_len=-138898845, error=0xffffd1e8)
at /build/glib2.0-3vWc1h/glib2.0-2.42.1/./glib/gmarkup.c:1626
#18 0xf78fa87a in _gtk_builder_parser_parse_buffer (builder=0x568ca638,
filename=0xf7b89263 "Gtk",
buffer=0x567f3af0 "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<interface
domain=\"gtk30\">\n <object class=\"GtkImage\" id=\"inspect_image\">\n
<property name=\"visible\">True</property>\n <property
name=\"icon-name\">find-locati"..., length=16950, requested_objs=0x0,
error=0xffffd1e8)
at /build/gtk+3.0-b165l9/gtk+3.0-3.14.5/./gtk/gtkbuilderparser.c:1381
#19 0xf78f5893 in _gtk_builder_extend_with_template (builder=0x568ca638,
widget=0xf7c0b91a, template_type=1451169936,
buffer=0x567f3af0 "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<interface
domain=\"gtk30\">\n <object class=\"GtkImage\" id=\"inspect_image\">\n
<property name=\"visible\">True</property>\n <property
name=\"icon-name\">find-locati"..., length=16950, error=0xffffd258)
---Type <return> to continue, or q <return> to quit---
at /build/gtk+3.0-b165l9/gtk+3.0-3.14.5/./gtk/gtkbuilder.c:1145
#20 0xf7b3d591 in gtk_widget_init_template (widget=0x567f8248)
at /build/gtk+3.0-b165l9/gtk+3.0-3.14.5/./gtk/gtkwidget.c:16688
#21 0xf7b88e8b in gtk_inspector_window_init (iw=0x567f8248)
at /build/gtk+3.0-b165l9/gtk+3.0-3.14.5/./gtk/inspector/window.c:139
#22 0xf738b940 in g_type_create_instance (type=1451169936)
at /build/glib2.0-3vWc1h/glib2.0-2.42.1/./gobject/gtype.c:1865
#23 0xf736d9d6 in g_object_new_internal (class=0xf7b89263,
class@entry=0x567f1948, params=0x1, params@entry=0x0, n_params=0)
at /build/glib2.0-3vWc1h/glib2.0-2.42.1/./gobject/gobject.c:1774
#24 0xf736f4a6 in g_object_newv (object_type=1451169936, n_parameters=0,
parameters=0x0)
at /build/glib2.0-3vWc1h/glib2.0-2.42.1/./gobject/gobject.c:1922
#25 0xf736facd in g_object_new (object_type=1451169936,
first_property_name=0x0)
at /build/glib2.0-3vWc1h/glib2.0-2.42.1/./gobject/gobject.c:1614
#26 0xf7b88fbf in gtk_inspector_window_new ()
at /build/gtk+3.0-b165l9/gtk+3.0-3.14.5/./gtk/inspector/window.c:202
#27 0xf7b4cbca in gtk_window_set_debugging (enable=1, select=0, warn=0)
at /build/gtk+3.0-b165l9/gtk+3.0-3.14.5/./gtk/gtkwindow.c:11717
#28 0xf7b51163 in gtk_window_set_interactive_debugging (enable=<optimized out>)
at /build/gtk+3.0-b165l9/gtk+3.0-3.14.5/./gtk/gtkwindow.c:11771
#29 0xf79ee684 in gtk_init_check (argc=0xffffd610, argv=0xffffd53c)
---Type <return> to continue, or q <return> to quit---
at /build/gtk+3.0-b165l9/gtk+3.0-3.14.5/./gtk/gtkmain.c:991
#30 0xf79ee6ac in gtk_init (argc=0xffffd610, argv=0xffffd53c)
at /build/gtk+3.0-b165l9/gtk+3.0-3.14.5/./gtk/gtkmain.c:1045
#31 0x5657ef08 in ?? ()
commit 0691f8f011efebbc1c3a9e7ca76a65d23f58c1e2
Author: Matthias Clasen <mclasen redhat com>
Date: Sat Jan 10 21:36:52 2015 -0500
inspector: be careful about gsize vs guint64
Since gsize doesn't work as a typename in a ui file,
we have to be careful not to pass pointers to wrongly
sized variables when getting the guint64 values out
of the model.
https://bugzilla.gnome.org/show_bug.cgi?id=742664
gtk/inspector/resource-list.c | 8 ++++++--
1 files changed, 6 insertions(+), 2 deletions(-)
---
diff --git a/gtk/inspector/resource-list.c b/gtk/inspector/resource-list.c
index 44fb34c..a9b6a0d 100644
--- a/gtk/inspector/resource-list.c
+++ b/gtk/inspector/resource-list.c
@@ -60,6 +60,7 @@ load_resources_recurse (GtkInspectorResourceList *sl,
gchar **names;
gint i;
GtkTreeIter iter;
+ guint64 stored_size;
names = g_resources_enumerate_children (path, 0, NULL);
for (i = 0; names[i]; i++)
@@ -97,9 +98,10 @@ load_resources_recurse (GtkInspectorResourceList *sl,
g_resources_get_info (p, 0, &size, NULL, NULL);
}
+ stored_size = size;
gtk_tree_store_set (sl->priv->model, &iter,
COLUMN_COUNT, count,
- COLUMN_SIZE, size,
+ COLUMN_SIZE, stored_size,
-1);
*count_out += count;
*size_out += size;
@@ -125,6 +127,7 @@ selection_changed (GtkTreeSelection *selection,
gconstpointer data;
gint count;
gsize size;
+ guint64 stored_size;
GError *error = NULL;
gtk_widget_hide (rl->priv->info_grid);
@@ -133,8 +136,9 @@ selection_changed (GtkTreeSelection *selection,
COLUMN_PATH, &path,
COLUMN_NAME, &name,
COLUMN_COUNT, &count,
- COLUMN_SIZE, &size,
+ COLUMN_SIZE, &stored_size,
-1);
+ size = stored_size;
if (g_str_has_suffix (path, "/"))
{
