Evas Textblock Invalid Read (Reported by valgrind)

[coolbrian]

When elm_label_label_set() a short string (1-char + null), this seems to happen.

Valgrind report:

==6260== Invalid read of size 1
==6260==    at 0x40C8A53: evas_common_font_utf8_get_next (evas_font_main.c:140)
==6260==    by 0x40922AF: _layout_text_append (evas_object_textblock.c:1988)
==6260==    by 0x4092865: _layout (evas_object_textblock.c:2223)
==6260==    by 0x4092E78: _relayout (evas_object_textblock.c:2300)
==6260==    by 0x4092FB1: evas_object_textblock_style_insets_get (evas_object_textblock.c:5104)
==6260==    by 0x47FDE28: _edje_part_recalc_single (edje_calc.c:669)
==6260==    by 0x47FF047: _edje_part_recalc (edje_calc.c:1721)
==6260==    by 0x4801257: _edje_recalc_do (edje_calc.c:224)
==6260==    by 0x48259DF: edje_object_size_min_restricted_calc (edje_util.c:2362)
==6260==    by 0x4825C4A: edje_object_size_min_calc (edje_util.c:2311)
==6260==    by 0x419AA02: _sizing_eval (elm_label.c:54)
==6260==    by 0x419AC1B: elm_label_label_set (elm_label.c:112)
==6260==  Address 0x4eb14df is 1 bytes before a block of size 32 alloc'd
==6260==    at 0x4024C1C: malloc (vg_replace_malloc.c:195)
==6260==    by 0x4024CA6: realloc (vg_replace_malloc.c:476)
==6260==    by 0x4094A1A: _strbuf_append_int (evas_object_textblock.c:283)
==6260==    by 0x409707A: evas_textblock_cursor_text_append (evas_object_textblock.c:335)
==6260==    by 0x40972BB: _append_text_run (evas_object_textblock.c:810)
==6260==    by 0x409782D: evas_object_textblock_text_markup_set (evas_object_textblock.c:2917)
==6260==    by 0x47FE52A: _edje_part_recalc_single (edje_calc.c:655)
==6260==    by 0x47FF047: _edje_part_recalc (edje_calc.c:1721)
==6260==    by 0x4801257: _edje_recalc_do (edje_calc.c:224)
==6260==    by 0x48259DF: edje_object_size_min_restricted_calc (edje_util.c:2362)
==6260==    by 0x4825C4A: edje_object_size_min_calc (edje_util.c:2311)
==6260==    by 0x419AA02: _sizing_eval (elm_label.c:54)

Test code:

#include <Elementary.h>

EAPI int
elm_main(int argc, char **argv)
{
   Evas_Object *win, *bg, *bx, *lb;

   /* new window - do the usual and give it a name, title and delete handler */
   win = elm_win_add(NULL, "label", ELM_WIN_BASIC);
   elm_win_title_set(win, "Label bug test");
   elm_win_autodel_set(win, 1);

   /* add a standard bg */
   bg = elm_bg_add(win);
   /* not not allow bg to expand. let's limit dialog size to contents */
   evas_object_size_hint_weight_set(bg, 0.0, 0.0);
   elm_win_resize_object_add(win, bg);
   evas_object_show(bg);

   /* add a box object - default is vertical. a box holds children in a row,
    * either horizontally or vertically. nothing more. */
   bx = elm_box_add(win);
   /* not not allow box to expand. let's limit dialog size to contents */
   evas_object_size_hint_weight_set(bx, 0.0, 0.0);
   elm_win_resize_object_add(win, bx);
   evas_object_show(bx);

   lb = elm_label_add(win);
   elm_label_label_set(lb, "3");
   elm_box_pack_end(bx, lb);
   evas_object_show(lb);

   /* show the window */
   evas_object_show(win);

   /* get going and draw/respond to the user */
   elm_run();
   /* standard shutdown */
   elm_shutdown();
   /* return/exit code of app signals ok/cancel (0 == ok), (-1 == cancel) */
   return 0;
}
ELM_MAIN()

[cedric]

This bug is linked with fribidi use and show up easily by just using evas textblock object. I didn't have time to track it down more than that.

[coolbrian]

What if we check if the given index is out of bounds at the start of evas_common_font_utf8_get_next()?

**index == -1 when valgrind reports the invalid access.

Index: src/lib/engines/common/evas_font_main.c
===================================================================
--- src/lib/engines/common/evas_font_main.c	(revision 43601)
+++ src/lib/engines/common/evas_font_main.c	(working copy)
@@ -137,7 +137,7 @@
    unsigned char d, d2, d3, d4;
 
    /* if this char is the null terminator, exit */
-   if (!buf[index])
+   if ((index < 0) || !buf[index])
      return 0;
      
    d = buf[index++];

[cedric]

This bug is gone in recent evas. Don't know if it's the move to eina_strbuf or my patch to remove another issue with the use of evas_common_font_utf8_get_next in the textblock.