Ticket #1217 (new defect)

Opened 4 years ago

Memory overwritten passing from GHC to GTK using textBufferSetText of the module Graphics.UI.Gtk.Multiline.TextBuffer

Reported by: guest Owned by: somebody
Priority: normal Milestone:
Component: general (Gtk+, Glib) Version: 0.10.2
Keywords: textbuffer,setText,overflow,overwrite Cc: jdgallag@…

Description

What is the problem: Gtk2hs allows passing an arbitrary string to textBufferSetText. This can cause memory to be overwritten, possibly resulting in security vulnerabilities. It is not clear whether the problem is on the Haskell or GTK side, or if the problem is the result of a mismatch between the Haskell computational model and the GTK computational model.

Here is how I found the problem: The IDE "Leksah" crashed my computer's operating system (Ubuntu 10.10) when I tried to load a large file for editing. Eclipse, Jedit, kate, etc failed to load the file returning the message that loading the file will cause a buffer overflow. I recreated the same defect by writing a simple text editor that just loads a file and sends that file to be displayed in a text buffer. On doing so with the large file, the system crashed. Then, to isolate the error, I changed the text editor to only load enough from the file to display; when scrolled to the bottom, more of the file was loaded into the buffer. On saving, I changed the functionality to save the file back to the disk in fixed length chunks (strictly, though it is not clear there is any effect here). Indeed, this text editor could open, edit, and save the very large text file that crashed the computer on the first attempts, and which Jedit and Eclipse refused to open. This suggests that the problem is not in Haskell, but either in the way Haskell connects to GTK or in the way GTK accepts input to textBufferSetText. Perhaps this memory overflow can be attributed to the way Haskell treats lists and the way C treats strings are mismatched.

Possible Solutions: Put a check on functions that send data from Haskell control to GTK control. Make sure they meet predetermined size restrictions. Alternatively, urge GTK to put checks on functions they can accept. Or urge GTK to implement "/usr/bin/less"-style string display functionality; i.e. only send to the display exactly what is needed, regardless of what is "loaded."

I am willing to help out in any way that I can. Please feel free to ask me to do whatever is needed.

Note: See TracTickets for help on using tickets.