gtk+-1.2.xxx fatal error in gtktext.c

[Vladimir Tsichevski <wowa jet msk su>]

Hi GTK developers,

I found an error in gtktext.c module which results in application
crash (an attempt to address a zero pointer). The problem arises only
when a specific conditions are met. That's why nobody bumped into this 
bug before.

The crash occures if all these conditions are met:

1. You try try to delete a text fragment
2. The deletion implies exactly one and entire TextProperty object
deletion
3. The text cursor (text->cursor_mark) points to the end of removed property

In a course of text deletion the cursor mark moves to the very
beginning of the property to be removed. So, after the deletion
completes, the cursor mark property field points to non-existent
property (the property out of the text property list). The program
crashed when attempting any next operation with the text.

The problem can be fixed easily. Every time any property is to be
deleted, the property list pointer should be compared with the
property list pointer in a cursor_mark. If they are same, the
cursor_mark should be refreshed using the find_mark(). Moreover, the
comment in delete_text_property() says the cursor might need fixing,
but no measures are really taken even in the last gtk-1.2 releases.

Here is the patch:

bash-2.04$ diff gtktext.c /jet/wowa/build/gtk+-1.2.10/gtk/gtktext.c
3397,3398d3396
< 	  gboolean cursor_mark_destroyed;
< 
3401,3403d3398
< 	  cursor_mark_property_destroyed =
< 	    (tmp == MARK_LIST_PTR (&text->cursor_mark));
< 
3407,3410d3401
< 
< 	  if (cursor_mark_property_destroyed)
< 	    text->cursor_mark = find_mark (text, text->cursor_mark.index);
< 

Regards,

Vladimir V. Tsichevski
senior expert
-----------------------------------------------------
Any opinions or recommendations herein are those of
the author and not of his computer.