[Scummvm-tracker] [ScummVM :: Bugs] #14584: GUI: EditableWidget: Out-of-bounds read and failed assertion after using backspace/delete

ScummVM :: Bugs trac at scummvm.org
Tue Aug 22 04:25:31 UTC 2023 

#14584: GUI: EditableWidget: Out-of-bounds read and failed assertion after using
backspace/delete
-------------------------+--------------------
Reporter:  PushmePullyu  |      Owner:  (none)
    Type:  defect        |     Status:  new
Priority:  normal        |  Component:  GUI
 Version:                |   Keywords:
    Game:                |
-------------------------+--------------------
 Tested with !a2dc896ba6f29ecabc4b3795732522113b1623bf on Linux x86_64.

 After deleting a character in an EditableWidget using either the backspace
 or delete key the now invalid selection is not cleared.
 This results in out-of-bounds reads in EditTextWidget::drawWidget(), where
 _selCaretPos and _selOffset are used as offsets, and in a failed assertion
 when calling EditableWidget::defaultKeyDownHandler():

 {{{
 gui/widgets/editable.cpp:566: bool GUI::EditableWidget::setCaretPos(int):
 Assertion `newPos >= 0 && newPos <= (int)_editString.size()' failed.
 }}}


 To reproduce for the backspace key:
 1. In the ScummVM main menu, select a game and choose "Game Options..."
 2. Click on the ID field to edit it and move the caret after the end of
 the text either by clicking or by using the cursor keys
 3. Hold shift and press cursor right to set _selCaretPos
 4. Press backspace one or more times; the ID field should now contain some
 random characters from the OOB read
 5. Press the 'a' key to trigger a failed assertion

 To reproduce for the delete key:
 1. In the ScummVM main menu, select a game and choose "Game Options..."
 2. Click on the ID field to edit it and move the caret after the end of
 the text either by clicking or by using the cursor keys
 3. Hold shift and press cursor left a few times to create a selection
 4. Press delete one or more times; the ID field should now contain some
 random characters from the OOB read
 5. Press the 'a' key to trigger a failed assertion
-- 
Ticket URL: <https://bugs.scummvm.org/ticket/14584>
ScummVM :: Bugs <https://bugs.scummvm.org>
ScummVM

More information about the Scummvm-tracker mailing list