Bug 136840

Summary: gtk_text_view_backspace() dereferences NULL and dies a horrible flaming death
Product: [Fedora] Fedora Reporter: Dan Williams <dcbw>
Component: gtk2Assignee: Owen Taylor <otaylor>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: mclasen, twaugh, wtogami
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-10-23 03:20:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 131589    

Description Dan Williams 2004-10-22 16:41:30 UTC 
gtktextview.c/gtk_text_view_backspace() around line 5167:

      attrs = _gtk_text_buffer_get_line_log_attrs (get_buffer
(text_view), &insert, NULL);
      offset = gtk_text_iter_get_line_offset (&insert);
      backspace_deletes_character =
attrs[offset].backspace_deletes_character;

Ok, so if attrs == NULL, then attempting to do attrs[offset] will of
course segfault.

So, we look at _gtk_text_buffer_get_line_log_attrs():
  gint line;
  GtkTextLogAttrCache *cache;
  gint i;
    
  g_return_val_if_fail (GTK_IS_TEXT_BUFFER (buffer), NULL);
  g_return_val_if_fail (anywhere_in_line != NULL, NULL);
    
  /* special-case for empty last line in buffer */
  if (gtk_text_iter_is_end (anywhere_in_line) &&
      gtk_text_iter_get_line_offset (anywhere_in_line) == 0)
    {
      if (char_len)
        *char_len = 0;
      return NULL;
    }
    
Hmm, NULL seems to be a valid return value for this function, which
would cause gtk_text_view_backspace() to get an attrs==NULL.

Test was:
1) run gedit
2) hit Enter
3) Hit backspace
Comment 1 Dan Williams 2004-10-22 17:10:22 UTC 
*** Bug 136743 has been marked as a duplicate of this bug. ***
Comment 2 Dan Williams 2004-10-22 19:12:45 UTC 
Appears fixed with 2.4.13-3 in fc3-HEAD
Comment 3 Warren Togami 2004-10-23 03:20:22 UTC 
Indeed it seems good here too, and it was pushed to dist-fc3.  Closing.
Comment 4 Dan Williams 2004-10-26 21:14:52 UTC 
*** Bug 137238 has been marked as a duplicate of this bug. ***