Skip to content

Crash in thunar_dialogs_show_job_error when copying deleted file from search window

Steps to reproduce

  1. Prepare a dummy folder:
mkdir job-error
touch job-error/deleteme
  1. Run thunar job-error
  2. File > New Window
  3. In the second window, Ctrl + f
  4. Search for del in the second window
  5. In the first window, delete the deleteme file
  6. In the second window, copy the deleteme file from the search results
  7. Paste in the first window to trigger a crash

Debug info

ERROR: AddressSanitizer: heap-buffer-overflow on address 0x50b00011bb90 at pc 0x555555b3979a bp 0x7fffffffd150 sp 0x7fffffffd148
READ of size 1 at 0x50b00011bb90 thread T0
    #0 0x555555b39799 in thunar_dialogs_show_job_error /home/s/code/thunar/thunar/thunar-dialogs.c:1075:11
    #1 0x555555c87068 in thunar_progress_view_error /home/s/code/thunar/thunar/thunar-progress-view.c:529:3
    #2 0x7ffff7a426bf in g_closure_invoke (/usr/lib/libgobject-2.0.so.0+0x146bf)
    #3 0x7ffff7a70a35  (/usr/lib/libgobject-2.0.so.0+0x42a35)
    #4 0x7ffff7a61a41  (/usr/lib/libgobject-2.0.so.0+0x33a41)
    #5 0x7ffff7a61c76 in g_signal_emit_valist (/usr/lib/libgobject-2.0.so.0+0x33c76)
    #6 0x7ffff7a61d33 in g_signal_emit (/usr/lib/libgobject-2.0.so.0+0x33d33)
    #7 0x7ffff7f47d4d in exo_job_error /home/s/code/exo/exo/exo-job.c:418:3
    #8 0x7ffff7f47d4d in exo_job_async_ready /home/s/code/exo/exo/exo-job.c:267:9
    #9 0x7ffff7f47d4d in exo_job_async_ready /home/s/code/exo/exo/exo-job.c:255:1
    #10 0x7ffff6f34f68  (/usr/lib/libglib-2.0.so.0+0x59f68)
    #11 0x7ffff6f933a6  (/usr/lib/libglib-2.0.so.0+0xb83a6)
    #12 0x7ffff6f33161 in g_main_context_iteration (/usr/lib/libglib-2.0.so.0+0x58161)
    #13 0x7ffff7106b65 in g_application_run (/usr/lib/libgio-2.0.so.0+0xdfb65)
    #14 0x555555a637fb in main /home/s/code/thunar/thunar/main.c:86:3
    #15 0x7ffff6d1eccf  (/usr/lib/libc.so.6+0x25ccf)
    #16 0x7ffff6d1ed89 in __libc_start_main (/usr/lib/libc.so.6+0x25d89)
    #17 0x5555558edd44 in _start (/usr/local/bin/thunar+0x399d44)
#9  0x0000555555b3979a in thunar_dialogs_show_job_error (parent=0x5170002968e0 [ThunarProgressDialog], error=0x5020004af830) at thunar-dialogs.c:1075
1075	      if (separator[strlen (separator - 1)] != '.')

(gdb) p separator
$1 = (const gchar *) 0x50b00011bb76 "No such file or directory"

(gdb) p (size_t)strlen(separator)
$2 = 25

(gdb) p (size_t)strlen(separator - 1)
$3 = 26

Version: 75c803af