[kopete-bugs] [Bug 157686] Kopete crashes when presented with large roster
Detlev Casanova
detlev.casanova at gmail.com
Thu Jul 24 15:02:42 CEST 2008
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
http://bugs.kde.org/show_bug.cgi?id=157686
------- Additional Comments From detlev.casanova gmail com 2008-07-24 15:02 -------
(gdb) print item.data()
$10 = 0x8482188 "<iq from=\"kopete localhost/Kopete\" type=\"set\" to=\"cazou88 localhost/Kopete\" id=\"aac4a\" >\n<jingle xmlns=\"urn:xmpp:tmp:jingle\" initiator=\"cazou88 localhost/Kopete\" action=\"session-info\" sid=\"afbee\" >\n<t"...
(gdb) print item.data()+100
$11 = 0x84821ec "ns=\"urn:xmpp:tmp:jingle\" initiator=\"cazou88 localhost/Kopete\" action=\"session-info\" sid=\"afbee\" >\n<trying xmlns=\"urn:xmpp:tmp:jingle:transports:ice-udp:info\"/>\n</jingle>\n</iq>\n"
(gdb) print buf.data()
$12 = 0x84839d0 ""
(gdb) p count
$14 = 0
(gdb) p offset
$15 = 424
(gdb) p item.length()
$16 = 276
(gdb) p item.size() - offset
$18 = -148
here's what I can get from gdb, I don't know that code at all so, I don't know what might cause any problem.
The empty buffer tells no memory has been copied yet.
How come item.length() is 276 and offset is 424 ?
Kopete crashes with this line :
memcpy(buf.data() + count, item.data() + offset, item.size() - offset);
item.data() + offset is outbounds and size (3rd argument to memcpy) is negative (-148).
More information about the kopete-bugs
mailing list