Overview
Artifact ID: | cc5ceef6064ac3d56e694cecf2d221ad5935afa2ef898054bc26c2729b6dd12f |
---|---|
Ticket: | 40e4bf61988580b8ffaecd1d57a7087ba76b54d4
Entry: double free when textvariable set in validatecommand script |
User & Date: | chrstphrchvz 2020-05-22 12:12:47 |
Changes
- assignee changed to: "nobody"
- closer changed to: "nobody"
- cmimetype changed to: "text/x-fossil-wiki"
- comment changed to:
Here is a double free bug that someone originally reported for Perl/Tk ([https://rt.cpan.org/Public/Bug/Display.html?id=102648]), but which I replicated in Tcl/Tk using both the original Perl/Tk example through Tcl::pTk, as well as a nearly equivalent Tcl syntax example: <pre> package require Tk set en_text {Type 'A' here} pack [entry .e \ -textvariable en_text \ -validate key \ -validatecommand { if {"%S" eq {A}} { set en_text %P .e configure -validate key } return 1 } ] </pre> Pressing 'A' causes the double free in this example. When the key is pressed, <code>InsertChars()</code> stores the existing <code>entryPtr->string</code> in the variable <code>string</code>. It then does the <code>EntryValidate()</code> → <code>EntryValidateChange()</code> to evaluate the validatecommand script. When the textvariable is set in the script, this invokes <code>EntryTextVarProc()</code> → <code>EntrySetValue()</code> which frees the existing <code>entryPtr->string</code>. After validation finishes, <code>EntrySet()</code> then tries to free the already-freed address in <code>string</code>. It's not obvious to me what should be done about this issue. Should this at least not lead to a crash/corruption, or is it believed that the documentation already firmly warned against mixing <code>-textvariable</code> and <code>-validatecommand</code> such that this issue is expected behavior? At a minimum, it preferably crashes rather than silently corrupts—i.e. panic if <code>string != entryPtr->string</code> just before <code>ckfree((char *)string)</code>. I am not aware of this issue affecting Ttk entry widgets.
- foundin changed to: "8.6.10"
- is_private changed to: "0"
- login: "chrstphrchvz"
- priority changed to: "5 Medium"
- resolution changed to: "None"
- severity changed to: "Important"
- status changed to: "Open"
- submitter changed to: "chrstphrchvz"
- subsystem changed to: "07. [entry]"
- title changed to:
Entry: double free when textvariable set in validatecommand script
- type changed to: "Bug"