Crash into khtml::RenderBox::calcWidth()

Laurent Montel montel at kde.org
Thu Nov 20 15:12:15 GMT 2003 

Hi,
When I load this page :
http://linuxfr.org/redirect/29888.html
I obtain a crash:

#0  0x41d1aeb3 in khtml::RenderBox::calcWidth() (this=0x8540874)
    at render_box.cpp:608
#1  0x41d29cf4 in khtml::RenderImage::setPixmap(QPixmap const&, QRect const&, 
khtml::CachedImage*) (this=0x8540874, p=@0x87449d0, r=@0xbfffed60, 
o=0x83a3f40)
    at render_image.cpp:146
#2  0x41d7918d in khtml::CachedImage::do_notify(QPixmap const&, QRect const&) 
(
    this=0x83a3f40, p=@0x87449d0, r=@0xbfffed60) at loader.cpp:698
#3  0x41d791e2 in khtml::CachedImage::movieUpdated(QRect const&) (
    this=0x83a3f40, r=@0xbfffed60) at loader.cpp:709
#4  0x41d7d8d5 in khtml::CachedImage::qt_invoke(int, QUObject*) (
    this=0x83a3f40, _id=2, _o=0xbfffece0) at loader.moc:99

There is a nil pointer :
konqueror:  cb :(nil)
--------------------------^
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 16384 (LWP 21376)]
0x41d1af0b in khtml::RenderBox::calcWidth() (this=0x8579b2c)
    at render_box.cpp:609
609                 cw = cb->contentWidth();


And an other crash here :
0x41d1be8a in khtml::RenderBox::calcVerticalMargins() (this=0x8490210)
    at render_box.cpp:891
891         int cw = containingBlock()->contentWidth();

ContainingBlock() can return a null value but it's tested.
So I created a patch.

But in this function:
"RenderBlock *RenderObject::containingBlock() const"

there is these lines:
"    // this is just to make sure we return a valid element.
    // the case below should never happen...
    if(!o || !o->isRenderBlock()) {
        if(!isCanvas()) {
#ifndef NDEBUG
            kdDebug( 6040 ) << this << ": " << renderName() << 
"(RenderObject): No containingBlock!" << endl;
            kdDebug( 6040 ) << kdBacktrace() << endl;
            const RenderObject* p = this;
            while (p->parent()) p = p->parent();
            p->printTree();
#endif
        }
        return 0L;
    }
"should never happen"
But in this page we can return a null pointer

My patch fixes crash.
But I don't know if it's perfect.

Some people can look at it please.
Thanks 
Regards.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: khtml-crash.patch
Type: text/x-diff
Size: 1357 bytes
Desc: not available
URL: <https://mail.kde.org/mailman/private/kfm-devel/attachments/20031120/8583ca94/attachment.patch>

More information about the kfm-devel mailing list