Bug#490150: gtk2-engines-cleanice: [PATCH] segfault in draw_flat_box(): dereferencing NULL pointer

Thu, 10 Jul 2008 03:01:57 -0700 

Package: gtk2-engines-cleanice
Version: 2.4.0-1.1
Severity: critical
Justification: breaks unrelated software


Version 2.4.0 does not check for possible NULL pointers supplied to strncmp()
in draw_flat_box() in cleanice-draw.c, line 1013. This breaks unrelated
software (noticed with Geeqie, bug #457098 could be also related).

Please either apply the attached patch or update the package to 2.4.1
released upstream. However, in my opinion, the upstream's fix for this
bug is not fully correct (it fixes the segfault but changes the operation
of the code in a way incompatible with the docs on GtkTreeView).
Meanwhile I am trying to contact the upstream by e-mail. As one can
see can see from his changelog there were no significant changes in
2.4.1 except this fix.


-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (900, 'testing'), (90, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.24-1-686 (SMP w/1 CPU core)
Locale: LANG=ru_RU.UTF-8, LC_CTYPE=ru_RU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages gtk2-engines-cleanice depends on:
ii  libatk1.0-0                   1.22.0-1   The ATK accessibility toolkit
ii  libc6                         2.7-10     GNU C Library: Shared libraries
ii  libcairo2                     1.6.4-6    The Cairo 2D vector graphics libra
ii  libglib2.0-0                  2.16.3-2   The GLib library of C routines
ii  libgtk2.0-0 [gtk2.0-binver-2. 2.12.10-2  The GTK+ graphical user interface 
ii  libpango1.0-0                 1.20.3-2   Layout and rendering of internatio

gtk2-engines-cleanice recommends no packages.

-- no debconf information

diff -urN gtk2-engines-cleanice-2.4.0-orig/src/cleanice-draw.c gtk2-engines-cleanice-2.4.0/src/cleanice-draw.c
--- gtk2-engines-cleanice-2.4.0-orig/src/cleanice-draw.c	2005-01-30 06:55:08.000000000 +0300
+++ gtk2-engines-cleanice-2.4.0/src/cleanice-draw.c	2008-07-10 12:29:50.000000000 +0400
@@ -25,6 +25,7 @@
 #include "cleanice.h"
 
 #define DETAIL(xx) ((detail) && (!strcmp(xx, detail)))
+#define DETAILN(xx) ((detail) && (!strncmp(xx, detail, strlen(xx))))
 
 static void cleanice_style_init (CleanIceStyle * style);
 static void cleanice_style_class_init (CleanIceStyleClass * klass);
@@ -1010,8 +1011,7 @@
     if (area) {
       gdk_gc_set_clip_rectangle (style->bg_gc[GTK_STATE_NORMAL], NULL);
     }
-  } else if (!strncmp ("cell_even", detail, strlen ("cell_even")) ||
-	     !strncmp ("cell_odd", detail, strlen ("cell_odd"))) {
+  } else if (DETAILN ("cell_even") || DETAILN ("cell_odd")) {
     if (state_type == GTK_STATE_SELECTED) {
       if (GTK_WIDGET_HAS_FOCUS (widget)) {
 	gdk_draw_rectangle (window, style->bg_gc[state_type], TRUE,

Reply via email to