Faculty of Information Technology
Software Engineering Group

Opened 5 years ago

Closed 5 years ago

#197 closed defect (fixed)

How to crash hard StX using a code paste

Reported by: Patrik Svestka Owned by:
Priority: major Milestone: 8.0.0
Component: default Keywords:
Cc: Also affects CVS HEAD (eXept version): no


How to crash StX hard:

1) Smalltalk loadPackage: 'stx:libview/tests'. (do it in workspace)
2) start SystemBrowser?
3) view Package
4) click on tests
5) click on ImageTests?
6) click tests - regressions
7) select whole text (ctrl +a)
8) paste test:

       | testString topView textView image allColors |
        testString := Unicode16String new.
        testString := 'コーヒーアイスクリームケーキビールすしかき'.

        topView := StandardSystemView new.
        topView extent:300@200.

        textView := EditTextView new.
        textView origin:0.0 @ 0.0 corner:1.0 @ 1.0.
        topView addSubView:textView.
        "/ courier sizes 8, 12, 24, 48, 96, 288
        textView font:(Font family:'courier' size:12).

        1 to: 1000 do: [ :each | textView paste:testString ].
        textView unselect.
        topView open. 

        "/ wait for the topView to appear
        Delay waitForSeconds:1.

        image := Image fromView: topView grab: false.

        "/ x starts from 20 to avoid cursor (its color)
        allColors :=  Set new.
          1 to: 20 do: [:y| 
                     20 to: 40 do: [:x | allColors add: (image colorAtX:x y:y)].
    ] ensure:[ 
        topView close.

    self assert: (allColors size > 1)

    "Created: / 22-03-2018 / 14:07:31 / svestkap"

9) Right click on the workspace, while the text is still selected
10) Smalltalk/X crashes hard

Attachments (1)

Change History (7)

comment:1 Changed 5 years ago by Jan Vrany

I can reproduce it. It looks you've earned your tea.

The crash (segmentation violation) looks to happen in Win32OperatingSystem >> #primGetFileAttributes:. Sigh.

comment:2 Changed 5 years ago by Patrik Svestka

Summary: How to crash hard StXHow to crash hard StX using a code paste

comment:3 Changed 5 years ago by Jan Vrany

This is going to be many-fold. The minimal testcase (so far) is:

smalltalk -I --quick -P "OperatingSystem primGetFileAttributes: (String streamContents:[:s|s next:2000 put: $x]) asUnicode16String"

So it seems that really long Unicode16String passed to primGetFileAttributes: cause the crash.

Why opening a context menu ends up in primGetFileAttributes: is another story.

comment:4 Changed 5 years ago by Jan Vrany

Status: newtesting


could you please try attached patch and let me know if it helps?

Event if it does, please DO NOT close the ticket. There's more to be investigated!

comment:5 Changed 5 years ago by Patrik Svestka

Hi Jan, the patch is working for the issue reported. I'm leaving the issue opened as you wished.

comment:6 Changed 5 years ago by Jan Vrany

Resolution: fixed
Status: testingclosed

Fixed in:

The crash was caused by buffer overflow in _makeWchar() in Win32OperatingSystem when passed string argument was Unicode16String. It (wrongly) used passed buffer size as size of the buffer in characters while caller passed it as a size in bytes (a result of sizeof()).

This naturally caused a buffer overflow when size of (unicode) string was greater (MAXPATHLEN / 2), in turn causing the segmentation violation.

Note: See TracTickets for help on using tickets.