[ktnef] [Bug 356351] New: crash if I close ktnef when the open file error dialog is displayed
Santhiar via KDE Bugzilla
bugzilla_noreply at kde.org
Mon Dec 7 05:13:47 GMT 2015
https://bugs.kde.org/show_bug.cgi?id=356351
Bug ID: 356351
Summary: crash if I close ktnef when the open file error dialog
is displayed
Product: ktnef
Version: 4.9
Platform: Other
OS: Linux
Status: UNCONFIRMED
Severity: crash
Priority: NOR
Component: general
Assignee: kdepim-bugs at kde.org
Reporter: santhiar.anirudh at gmail.com
I wanted to open a file using ktnef from the command line and close the
application.
ktnef someUnhandledFile
followed by
qdbus `qdbus | grep ktnef` /ktnef/MainWindow_1/actions/file_quit trigger
triggers a crash
Reproducible: Always
Steps to Reproduce:
1. Open a file (of a type ktnef does not handle) using ktnef
2. An error dialog will be displayed. While it is displayed,
3. Quit ktnef using "qdbus `qdbus | grep ktnef`
/ktnef/MainWindow_1/actions/file_quit trigger"
Actual Results:
ktnef crashes with the following stack:
Application: KTnef (ktnef), signal: Segmentation fault
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[Current thread is 1 (Thread 0x7fa1be8a0780 (LWP 23222))]
Thread 2 (Thread 0x7fa1acd9d700 (LWP 23224)):
#0 0x00007fa1b8d3e6f3 in select () from /lib/x86_64-linux-gnu/libc.so.6
#1 0x00007fa1b9a168bc in QProcessManager::run (this=0x7fa1b9e5a210
<processManager()::processManager>) at io/qprocess_unix.cpp:270
#2 0x00007fa1b98cbb2a in QThreadPrivate::start (arg=0x7fa1b9e5a210
<processManager()::processManager>) at thread/qthread_unix.cpp:361
#3 0x00007fa1b8a3ce9a in start_thread () from
/lib/x86_64-linux-gnu/libpthread.so.0
#4 0x00007fa1b8d4538d in clone () from /lib/x86_64-linux-gnu/libc.so.6
#5 0x0000000000000000 in ?? ()
Thread 1 (Thread 0x7fa1be8a0780 (LWP 23222)):
[KCrash Handler]
#6 QPointer<QItemSelectionModel>::operator QItemSelectionModel* (this=0x2a8)
at ../../include/QtCore/../../src/corelib/kernel/qpointer.h:78
#7 0x00007fa1bb6b915b in QAbstractItemView::selectionModel (this=0x1853450) at
itemviews/qabstractitemview.cpp:766
#8 0x00007fa1bb77ffa9 in QTreeWidget::clear (this=0x1853450) at
itemviews/qtreewidget.cpp:3273
#9 0x000000000041ccf3 in KTNEFView::setAttachments (this=0x1853450, list=...)
at KDE/kde/applications/kdepim/ktnef/ktnefview.cpp:90
#10 0x0000000000417c30 in KTNEFMain::loadFile (this=0x1838dd0, filename=...) at
KDE/kde/applications/kdepim/ktnef/ktnefmain.cpp:204
#11 0x000000000041db42 in main (argc=<optimized out>, argv=<optimized out>) at
KDE/kde/applications/kdepim/ktnef/main.cpp:60
Expected Results:
ktnef closes smoothly
This crash is actually a use-after-free. Repeating the steps above with ktnef
built using AddressSanitizer results in the following report:
AddressSantizer Stack:
==24918==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c0000a3040
at pc 0x46e008 bp 0x7fff9be0c090 sp 0x7fff9be0c088
READ of size 8 at 0x60c0000a3040 thread T0
#0 0x46e007 in KTNEFMain::loadFile(QString const&)
(KDE/install-asan/bin/ktnef+0x46e007)
#1 0x46f807 in KTNEFMain::openFile() (KDE/install-asan/bin/ktnef+0x46f807)
#2 0x494412 in KTNEFMain::qt_static_metacall(QObject*, QMetaObject::Call,
int, void**) (KDE/install-asan/bin/ktnef+0x494412)
#3 0x7f7edd7ca336 in QMetaObject::activate(QObject*, QMetaObject const*,
int, void**) (qt4/lib/libQtCore.so.4+0x255336)
#4 0x7f7edecf822c in QAction::triggered(bool)
(qt4/lib/libQtGui.so.4+0x22522c)
#5 0x7f7edecf8041 in QAction::activate(QAction::ActionEvent)
(qt4/lib/libQtGui.so.4+0x225041)
#6 0x7f7edecfa4d9 in QAction::trigger() (qt4/lib/libQtGui.so.4+0x2274d9)
#7 0x7f7edf458da2 in QToolButton::nextCheckState()
(qt4/lib/libQtGui.so.4+0x985da2)
#8 0x7f7edf312fd3 in QAbstractButtonPrivate::click()
(qt4/lib/libQtGui.so.4+0x83ffd3)
#9 0x7f7edf31456b in QAbstractButton::mouseReleaseEvent(QMouseEvent*)
(qt4/lib/libQtGui.so.4+0x84156b)
#10 0x7f7edf458663 in QToolButton::mouseReleaseEvent(QMouseEvent*)
(qt4/lib/libQtGui.so.4+0x985663)
#11 0x7f7eded9178d in QWidget::event(QEvent*)
(qt4/lib/libQtGui.so.4+0x2be78d)
#12 0x7f7edf314390 in QAbstractButton::event(QEvent*)
(qt4/lib/libQtGui.so.4+0x841390)
#13 0x7f7edf458e38 in QToolButton::event(QEvent*)
(qt4/lib/libQtGui.so.4+0x985e38)
#14 0x7f7eded0829e in QApplicationPrivate::notify_helper(QObject*, QEvent*)
(qt4/lib/libQtGui.so.4+0x23529e)
#15 0x7f7eded0b6a2 in QApplication::notify(QObject*, QEvent*)
(qt4/lib/libQtGui.so.4+0x2386a2)
#16 0x7f7ee05ca340 in KApplication::notify(QObject*, QEvent*)
KDE/kde/kdelibs/kdeui/kernel/kapplication.cpp:311
#17 0x7f7edd7a2b15 in QCoreApplication::notifyInternal(QObject*, QEvent*)
(qt4/lib/libQtCore.so.4+0x22db15)
#18 0x7f7eded12e3e in QCoreApplication::sendSpontaneousEvent(QObject*,
QEvent*) (qt4/lib/libQtGui.so.4+0x23fe3e)
#19 0x7f7eded09340 in QApplicationPrivate::sendMouseEvent(QWidget*,
QMouseEvent*, QWidget*, QWidget*, QWidget**, QPointer<QWidget>&, bool)
(qt4/lib/libQtGui.so.4+0x236340)
#20 0x7f7ededda3f4 in QETWidget::translateMouseEvent(_XEvent const*)
(qt4/lib/libQtGui.so.4+0x3073f4)
#21 0x7f7ededd5e05 in QApplication::x11ProcessEvent(_XEvent*)
(qt4/lib/libQtGui.so.4+0x302e05)
#22 0x7f7edee20265 in
QEventDispatcherX11::processEvents(QFlags<QEventLoop::ProcessEventsFlag>)
(qt4/lib/libQtGui.so.4+0x34d265)
#23 0x7f7edd79dedb in
QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>)
(qt4/lib/libQtCore.so.4+0x228edb)
#24 0x7f7edd79e1ed in
QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>)
(qt4/lib/libQtCore.so.4+0x2291ed)
#25 0x7f7edd7a3316 in QCoreApplication::exec()
(qt4/lib/libQtCore.so.4+0x22e316)
#26 0x7f7eded0a335 in QApplication::exec() (qt4/lib/libQtGui.so.4+0x237335)
#27 0x483563 in main (KDE/install-asan/bin/ktnef+0x483563)
#28 0x7f7edc39976c (/lib/x86_64-linux-gnu/libc.so.6+0x2176c)
#29 0x454e7c in _start (KDE/install-asan/bin/ktnef+0x454e7c)
0x60c0000a3040 is located 64 bytes inside of 128-byte region
[0x60c0000a3000,0x60c0000a3080)
freed by thread T0 here:
#0 0x44049a in operator delete(void*) (KDE/install-asan/bin/ktnef+0x44049a)
#1 0x46bf34 in KTNEFMain::~KTNEFMain()
(KDE/install-asan/bin/ktnef+0x46bf34)
#2 0x7f7edd7c3b6d in qDeleteInEventHandler(QObject*)
(qt4/lib/libQtCore.so.4+0x24eb6d)
#3 0x7f7edd7c36d7 in QObject::event(QEvent*)
(qt4/lib/libQtCore.so.4+0x24e6d7)
#4 0x7f7eded93155 in QWidget::event(QEvent*)
(qt4/lib/libQtGui.so.4+0x2c0155)
#5 0x7f7edf3b4d82 in QMainWindow::event(QEvent*)
(qt4/lib/libQtGui.so.4+0x8e1d82)
#6 0x7f7ee08ea133 in KMainWindow::event(QEvent*)
KDE/kde/kdelibs/kdeui/widgets/kmainwindow.cpp:1126
#7 0x7f7ee09f00b2 in KXmlGuiWindow::event(QEvent*)
KDE/kde/kdelibs/kdeui/xmlgui/kxmlguiwindow.cpp:126
#8 0x7f7eded0829e in QApplicationPrivate::notify_helper(QObject*, QEvent*)
(qt4/lib/libQtGui.so.4+0x23529e)
#9 0x7f7eded0e13b in QApplication::notify(QObject*, QEvent*)
(qt4/lib/libQtGui.so.4+0x23b13b)
#10 0x7f7ee05ca340 in KApplication::notify(QObject*, QEvent*)
KDE/kde/kdelibs/kdeui/kernel/kapplication.cpp:311
#11 0x7f7edd7a2b15 in QCoreApplication::notifyInternal(QObject*, QEvent*)
(qt4/lib/libQtCore.so.4+0x22db15)
#12 0x7f7edd7a7279 in QCoreApplication::sendEvent(QObject*, QEvent*)
(qt4/lib/libQtCore.so.4+0x232279)
#13 0x7f7edd7a4123 in QCoreApplicationPrivate::sendPostedEvents(QObject*,
int, QThreadData*) (qt4/lib/libQtCore.so.4+0x22f123)
#14 0x7f7edd7f5026 in
QEventDispatcherUNIX::processEvents(QFlags<QEventLoop::ProcessEventsFlag>)
(qt4/lib/libQtCore.so.4+0x280026)
#15 0x7f7edee20479 in
QEventDispatcherX11::processEvents(QFlags<QEventLoop::ProcessEventsFlag>)
(qt4/lib/libQtGui.so.4+0x34d479)
#16 0x7f7edd79dedb in
QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>)
(qt4/lib/libQtCore.so.4+0x228edb)
#17 0x7f7edd79e1ed in
QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>)
(qt4/lib/libQtCore.so.4+0x2291ed)
#18 0x7f7edf4bca9a in QDialog::exec() (qt4/lib/libQtGui.so.4+0x9e9a9a)
#19 0x7f7ee03569dc in KMessageBox::createKMessageBox(KDialog*, QIcon
const&, QString const&, QStringList const&, QString const&, bool*,
QFlags<KMessageBox::Option>, QString const&, QMessageBox::Icon)
KDE/kde/kdelibs/kdeui/dialogs/kmessagebox.cpp:344
#20 0x7f7ee0353fe1 in KMessageBox::createKMessageBox(KDialog*,
QMessageBox::Icon, QString const&, QStringList const&, QString const&, bool*,
QFlags<KMessageBox::Option>, QString const&)
KDE/kde/kdelibs/kdeui/dialogs/kmessagebox.cpp:158
#21 0x7f7ee0364d4a in KMessageBox::errorListWId(unsigned long, QString
const&, QStringList const&, QString const&, QFlags<KMessageBox::Option>)
KDE/kde/kdelibs/kdeui/dialogs/kmessagebox.cpp:854
#22 0x7f7ee036440b in KMessageBox::error(QWidget*, QString const&, QString
const&, QFlags<KMessageBox::Option>)
KDE/kde/kdelibs/kdeui/dialogs/kmessagebox.cpp:821
#23 0x46db45 in KTNEFMain::loadFile(QString const&)
(KDE/install-asan/bin/ktnef+0x46db45)
#24 0x46f807 in KTNEFMain::openFile() (KDE/install-asan/bin/ktnef+0x46f807)
#25 0x494412 in KTNEFMain::qt_static_metacall(QObject*, QMetaObject::Call,
int, void**) (KDE/install-asan/bin/ktnef+0x494412)
#26 0x7f7edd7ca336 in QMetaObject::activate(QObject*, QMetaObject const*,
int, void**) (qt4/lib/libQtCore.so.4+0x255336)
#27 0x7f7edecf822c in QAction::triggered(bool)
(qt4/lib/libQtGui.so.4+0x22522c)
#28 0x7f7edecf8041 in QAction::activate(QAction::ActionEvent)
(qt4/lib/libQtGui.so.4+0x225041)
#29 0x7f7edecfa4d9 in QAction::trigger() (qt4/lib/libQtGui.so.4+0x2274d9)
previously allocated by thread T0 here:
#0 0x44021a in operator new(unsigned long)
(KDE/install-asan/bin/ktnef+0x44021a)
#1 0x4833b4 in main (KDE/install-asan/bin/ktnef+0x4833b4)
#2 0x7f7edc39976c (/lib/x86_64-linux-gnu/libc.so.6+0x2176c)
SUMMARY: AddressSanitizer: heap-use-after-free ??:0 KTNEFMain::loadFile(QString
const&)
Shadow bytes around the buggy address:
0x0c188000c5b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c188000c5c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c188000c5d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c188000c5e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c188000c5f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c188000c600: fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd
0x0c188000c610: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c188000c620: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
0x0c188000c630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07
0x0c188000c640: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c188000c650: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==24918==ABORTING
ktnef version details
---------------------------
Qt: 4.8.7
KDE Development Platform: 4.14.13
KTnef: 4.14.10
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the Kdepim-bugs
mailing list