Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

tkinter.Tk segfault with invalid className #126219

Open
devdanzin opened this issue Oct 31, 2024 · 5 comments
Open

tkinter.Tk segfault with invalid className #126219

devdanzin opened this issue Oct 31, 2024 · 5 comments
Labels
3.12 bugs and security fixes 3.13 bugs and security fixes 3.14 new features, bugs and security fixes extension-modules C modules in the Modules dir topic-tkinter type-crash A hard crash of the interpreter, possibly with a core dump

Comments

@devdanzin
Copy link
Contributor

devdanzin commented Oct 31, 2024

Crash report

What happened?

It's possible to crash Python by passing an invalid className to _tkinter.create, for example:

import  _tkinter 
_tkinter.create(None, '', '\U0010FFFF', None)

Or, using tkinter.Tk (repro thanks to @graingert and @JelleZijlstra):

% ./python.exe 
Python 3.14.0a0 experimental free-threading build (heads/gh-125331:c315120a535, Oct 30 2024, 11:22:31) [Clang 15.0.0 (clang-1500.3.9.4)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> import tkinter
... tkinter.Tk(screenName=None, baseName='', className='\U0010FFFF')
... 
zsh: segmentation fault  ./python.exe

Backtrace looks like:

#0  0x00007ffff77bab5b in Tcl_UtfToUniChar () from /lib/x86_64-linux-gnu/libtcl8.6.so
#1  0x00007ffff77bc993 in ?? () from /lib/x86_64-linux-gnu/libtcl8.6.so
#2  0x00007ffff77bb795 in Tcl_UtfToTitle () from /lib/x86_64-linux-gnu/libtcl8.6.so
#3  0x00007ffff78b5083 in ?? () from /lib/x86_64-linux-gnu/libtk8.6.so
#4  0x00007ffff79dcf9d in Tcl_AppInit (interp=0x555555e14860) at ./Modules/tkappinit.c:40
#5  0x00007ffff79d92b4 in Tkapp_New (screenName=screenName@entry=0x0,
    className=className@entry=0x7ffff7c2c1c0 "\364\217\277\277", interactive=interactive@entry=0,
    wantobjects=wantobjects@entry=0, wantTk=wantTk@entry=1, sync=sync@entry=0, use=0x0)
    at ./Modules/_tkinter.c:730
#6  0x00007ffff79d953f in _tkinter_create_impl (module=module@entry=<module at remote 0x7ffff7ab9eb0>,
    screenName=screenName@entry=0x0, baseName=baseName@entry=0x555555c77ef0 <_PyRuntime+51344> "",
    className=className@entry=0x7ffff7c2c1c0 "\364\217\277\277", interactive=interactive@entry=0,
    wantobjects=wantobjects@entry=0, wantTk=1, sync=0, use=0x0) at ./Modules/_tkinter.c:3176
#7  0x00007ffff79d99c6 in _tkinter_create (module=<module at remote 0x7ffff7ab9eb0>, args=0x7ffff7fb0080,
    nargs=<optimized out>) at ./Modules/clinic/_tkinter.c.h:820
#8  0x00005555556f18b0 in cfunction_vectorcall_FASTCALL (
    func=<built-in method create of module object at remote 0x7ffff7ab9eb0>, args=0x7ffff7fb0080,
    nargsf=<optimized out>, kwnames=<optimized out>) at Objects/methodobject.c:436
#9  0x000055555567ba55 in _PyObject_VectorcallTstate (tstate=0x555555cbbc70 <_PyRuntime+329232>,
    callable=<built-in method create of module object at remote 0x7ffff7ab9eb0>, args=0x7ffff7fb0080,
    nargsf=9223372036854775812, kwnames=0x0) at ./Include/internal/pycore_call.h:167

Found using fusil by @vstinner.

CPython versions tested on:

3.12, 3.14, CPython main branch

Operating systems tested on:

Linux, macOS, Windows

Output from running 'python -VV' on the command line:

Python 3.14.0a1+ (heads/main:d467d9246c, Oct 30 2024, 22:52:43) [GCC 11.4.0]

@devdanzin devdanzin added the type-crash A hard crash of the interpreter, possibly with a core dump label Oct 31, 2024
@JelleZijlstra
Copy link
Member

(I think @graingert came up with the tkinter.Tk repro, I just ran it :) )

@ZeroIntensity ZeroIntensity added extension-modules C modules in the Modules dir topic-tkinter labels Oct 31, 2024
@terryjreedy
Copy link
Member

terryjreedy commented Oct 31, 2024

U+10FFFF is a valid code point but (edit) in a sense not a valid character. A nice choice for fuzzing. "There are also 66 non-characters. These are defined in part in Corrigendum #9: 34 values of the form U+nFFFE and U+nFFFF (where n is a value 0x00000, 0x10000, … 0xF0000, 0x100000), and 32 values U+FDD0 - U+FDEF."

tk doc says nothing directly about what is a class name but hints that is should be displayable. "Specifies a class for the window. ... Some window managers display the class name for windows in their dock ... ."

@picnixz picnixz added 3.12 bugs and security fixes 3.13 bugs and security fixes 3.14 new features, bugs and security fixes labels Nov 16, 2024
@picnixz
Copy link
Contributor

picnixz commented Nov 16, 2024

cc @serhiy-storchaka

@serhiy-storchaka
Copy link
Member

I suspect that this is a Tk or Tcl bug. I do not see anything wrong on our side. Tcl before 9.0 does not support non-BMP characters well, Tcl_UtfToUniChar() does not work, and somewhere they forget to check for error. This may be improved with Tcl 9.

@serhiy-storchaka
Copy link
Member

On other hand, it is not so easy to reproduce this with a pure Tcl -- subprocess.call(['\U0010FFFF'], executable='tclsh') does not crash. There should be something else to trigger a crash.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
3.12 bugs and security fixes 3.13 bugs and security fixes 3.14 new features, bugs and security fixes extension-modules C modules in the Modules dir topic-tkinter type-crash A hard crash of the interpreter, possibly with a core dump
Projects
None yet
Development

No branches or pull requests

6 participants