Valgrind hit in kio_data [PATCH]

David Faure faure at kde.org
Thu Feb 24 23:05:08 GMT 2005 

Starting kmail and selecting a mail from Till (whose photo I have in my 
addressbook, against my will, I guess it's part of that kdepim vcard I 
was tricked into downloading) leads to an invalid read in KIO due to kio_data.

kmail: KMReaderWin  -  finished parsing and displaying of message.
kmail: DataProtocol::DataProtocol()
kmail: kio_data at 0x37ecc268::get(const KURL& url)
==450== Invalid read of size 1
==450==    at 0x3557DFD7: KIO::TransferJob::start(KIO::Slave*) (job.cpp:1089)
[common part snipped]
==450==  Address 0x37365D68 is 216 bytes inside a block of size 284 free'd
==450==    at 0x34148C47: operator delete(void*) (vg_replace_malloc.c:156)
==450==    by 0x3559783F: KIO::TransferJob::~TransferJob() (job.cpp:1164)
==450==    by 0x35579BE7: KIO::Job::emitResult() (job.cpp:218)
==450==    by 0x3557B18B: KIO::SimpleJob::slotFinished() (job.cpp:536)
==450==    by 0x3557D46B: KIO::TransferJob::slotFinished() (job.cpp:899)
==450==    by 0x3559082B: KIO::TransferJob::qt_invoke(int, QUObject*) (jobclasses.moc:1050)
==450==    by 0x360AD176: QObject::activate_signal(QConnectionList*, QUObject*) (qobject.cpp:2355)
==450==    by 0x360AD018: QObject::activate_signal(int) (qobject.cpp:2324)
==450==    by 0x3556C248: KIO::SlaveInterface::finished() (slaveinterface.moc:226)
==450==    by 0x356609ED: KIO::DataSlave::dispatch_finished() (dataslave.cpp:199)
==450==    by 0x356624CC: KIO::DataProtocol::get(KURL const&) (dataprotocol.cpp:322)
==450==    by 0x3566041C: KIO::DataSlave::send(int, QMemArray<char> const&) (dataslave.cpp:116)
==450==    by 0x356605E6: KIO::DataSlave::virtual_hook(int, void*) (dataslave.cpp:167)
==450==    by 0x35567E67: KIO::Slave::send(int, QMemArray<char> const&) (slave.cpp:290)
==450==    by 0x3557AE63: KIO::SimpleJob::start(KIO::Slave*) (job.cpp:500)
==450==    by 0x3557DFD0: KIO::TransferJob::start(KIO::Slave*) (job.cpp:1088)
[common part snipped]

Obviously the slave is emitting finished() immediately, so the next line after SimpleJob::start() 
in TransferJob::start() is reading a member var with "this" being deleted already.

No other slave emits finished() from inside start(). So I fixed kio_data for delay the
emission of finished() in all cases (not just when suspended, like the code said).

-- 
David Faure -- faure at kde.org, dfaure at klaralvdalens-datakonsult.se
Qt/KDE/KOffice developer
Klarälvdalens Datakonsult AB, Platform-independent software solutions
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dataslave.cpp.diff
Type: text/x-diff
Size: 1440 bytes
Desc: not available
URL: <http://mail.kde.org/pipermail/kde-core-devel/attachments/20050225/39786636/attachment.diff>

More information about the kde-core-devel mailing list