Tk Source Code

Ticket Change Details
Bounty program for improvements to Tcl and certain Tcl packages.

Artifact ID: cc5ceef6064ac3d56e694cecf2d221ad5935afa2ef898054bc26c2729b6dd12f
Ticket: 40e4bf61988580b8ffaecd1d57a7087ba76b54d4
Entry: double free when textvariable set in validatecommand script
User & Date: chrstphrchvz 2020-05-22 12:12:47

  1. Change assignee to "nobody"
  2. Change closer to "nobody"
  3. Change cmimetype to "text/x-fossil-wiki"
  4. Change comment to:

    Here is a double free bug that someone originally reported for Perl/Tk (, but which I replicated in Tcl/Tk using both the original Perl/Tk example through Tcl::pTk, as well as a nearly equivalent Tcl syntax example:

    package require Tk

    set en_text {Type 'A' here} pack [entry .e \ -textvariable en_text \ -validate key \ -validatecommand { if {"%S" eq {A}} { set en_text %P .e configure -validate key } return 1 } ]

    Pressing 'A' causes the double free in this example. When the key is pressed, InsertChars() stores the existing entryPtr->string in the variable string. It then does the EntryValidate()EntryValidateChange() to evaluate the validatecommand script. When the textvariable is set in the script, this invokes EntryTextVarProc()EntrySetValue() which frees the existing entryPtr->string. After validation finishes, EntrySet() then tries to free the already-freed address in string.

    It's not obvious to me what should be done about this issue. Should this at least not lead to a crash/corruption, or is it believed that the documentation already firmly warned against mixing -textvariable and -validatecommand such that this issue is expected behavior? At a minimum, it preferably crashes rather than silently corrupts—i.e. panic if string != entryPtr->string just before ckfree((char *)string).

    I am not aware of this issue affecting Ttk entry widgets.

  5. Change foundin to "8.6.10"
  6. Change is_private to "0"
  7. Change login to "chrstphrchvz"
  8. Change priority to "5 Medium"
  9. Change resolution to "None"
  10. Change severity to "Important"
  11. Change status to "Open"
  12. Change submitter to "chrstphrchvz"
  13. Change subsystem to "07. [entry]"
  14. Change title to:

    Entry: double free when textvariable set in validatecommand script

  15. Change type to "Bug"