Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

InputTextMultiline copy paste buffer overflow bug #4038

Closed
LPVOIDDev opened this issue Apr 12, 2021 · 3 comments
Closed

InputTextMultiline copy paste buffer overflow bug #4038

LPVOIDDev opened this issue Apr 12, 2021 · 3 comments
Labels
bug inputtext

Comments

@LPVOIDDev
Copy link

Version/Branch of Dear ImGui:

Version: Dear ImGui 1.83 WIP (18203)
Branch: master

Back-end/Renderer/Compiler/OS

Back-ends: imgui_impl_win32.cpp + imgui_impl_dx10.cpp
Compiler: Visual Studio 2015 (v140)
Operating System: Windows 10 (1809)

My Issue/Question:

The whole program hangs when copy-pasting a text in a InputTextMultiline with buffer size 1024

Steps to reproduce:

  1. In the imgui_demo.cpp edit the line static char text[1024 * 16] = to static char text[1024 * 1] =
  2. Start demo and go to Demo > Widgets > Text Input > Multi-line Text Input
  3. Put mouse cursor inside InputTextMultiline
  4. Ctrl+A
  5. Ctrl+C
  6. Ctrl+V (x5)
  7. Ctrl+A
  8. Ctrl+V
  9. *Program hangs*

image

Some insight:
Unfortunately, I was not able to debug the issue directly from VS2015 because the debugger doesn't work on this version of VS.
But I've gone through manually debugging with CE
I found out that it never goes out of this loop because state->undo_char_point + numchars is always 1050 whereas STB_TEXTEDIT_UNDOCHARCOUNT is set to 999

image

ECX value never changes and is stuck with value 1050 (0x41a)

image
@LPVOIDDev LPVOIDDev mentioned this issue Apr 12, 2021
Closed
@PathogenDavid
Copy link
Contributor

Thanks for the repro, @LPVOIDDev! I can reproduce this now.

It looks like that loop is expecting stb_textedit_discard_undo to clean up undo_char_point, which it will:

imgui/imstb_textedit.h

Line 1134 in d6a5cc7

state->undo_char_point -= n;

But it isn't doing that because undo_point is 0. I suspect that undo_char_point isn't expected to be non-zero when undo_point is 0, but I'm not particularly familiar with the stb_textedit stuff.

This external issue appears to be the root cause: nothings/stb#734

I agree with Unit2Ed here. Unless I'm missing something, removing the undo point seems unnecessary because it was never even created. I removed the decrement like they mentioned and the problem goes away for me. It seems to me like a failed insert has the potential to corrupt stb_textedit's undo stack.

I'd need more time to investigate for sure though, I didn't dig into things very much.

@v71
Copy link

v71 commented May 28, 2021

If state->undo_char_point is an unsigned integer then the value is set to 255 , which eventulally will lead to a loop.

This was referenced Jul 5, 2021
Closed
Closed
Closed
ocornut added a commit that referenced this issue Jul 5, 2021
@ocornut
InputText: Fix handling of paste failure (buffer full) which in some …
d9b6066 
…cases could corrupt the undo stack. (#4038)
@ocornut
Copy link
Owner

ocornut commented Jul 5, 2021

Fixed by d9b6066 and submitting PR to nothings/stb
Thanks you!

@ocornut ocornut closed this as completed Jul 5, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug inputtext
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@PathogenDavid @v71 @ocornut @LPVOIDDev