[Konversation-devel] [Bug 152251] New: invalid pointer dereference in Server::removeJoinedChannel

Xuân Baldauf development--bugs.kde.org at medium.net
Tue Nov 13 15:38:29 CET 2007 

------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
         
http://bugs.kde.org/show_bug.cgi?id=152251         
           Summary: invalid pointer dereference in
                    Server::removeJoinedChannel
           Product: konversation
           Version: unspecified
          Platform: SuSE RPMs
        OS/Version: Linux
            Status: UNCONFIRMED
          Severity: normal
          Priority: NOR
         Component: general
        AssignedTo: konversation-devel kde org
        ReportedBy: development--bugs.kde.org medium net


Version:           1.0.1+ #3214 (using KDE KDE 3.5.8)
Installed from:    SuSE RPMs
OS:                Linux

In http://websvn.kde.org/branches/extragear/kde3/network/konversation/src/server.cpp?annotate=736100#l2621, we have these lines:

                channel->remove(member);
                // If the nick is no longer listed in any channels or query list, delete it altogether.
                deleteNickIfUnlisted(member.data()->getNickInfo()->getNickname());


In line 2621, the iterator "member" is dereferenced and its content is removed from channel. Thus, a subsequent access of member.data() is invalid. However, in line 2623, member.data() is accessed and dereferenced, which should not happen.

In my case, it does not crash, but it could crash, because deallocated memory is accessed and used.

See this for further detail (note that in this case, line 2622 is where "channel->remove(member);" happens):

==13110==
==13110== Invalid read of size 4
==13110==    at 0x80AA3DC: KSharedPtr<ChannelNick>::operator->() (ksharedptr.h:164)
==13110==    by 0x8114ED3: Server::removeJoinedChannel(QString const&) (server.cpp:2624)
==13110==    by 0x8116EF2: Server::removeChannel(Channel*) (server.cpp:2151)
==13110==    by 0x80FD7AC: Channel::~Channel() (channel.cpp:323)
==13110==    by 0x4D62E6A: QWidget::~QWidget() (in /usr/lib/qt3/lib/libqt-mt.so.3.3.8)
==13110==    by 0x4E67395: QWidgetStack::~QWidgetStack() (in /usr/lib/qt3/lib/libqt-mt.so.3.3.8)
==13110==    by 0x4D62E6A: QWidget::~QWidget() (in /usr/lib/qt3/lib/libqt-mt.so.3.3.8)
==13110==    by 0x4E51843: QTabWidget::~QTabWidget() (in /usr/lib/qt3/lib/libqt-mt.so.3.3.8)
==13110==    by 0x45FAC87: KTabWidget::~KTabWidget() (ktabwidget.cpp:75)
==13110==    by 0x4D62E6A: QWidget::~QWidget() (in /usr/lib/qt3/lib/libqt-mt.so.3.3.8)
==13110==    by 0x4E4AAF7: QSplitter::~QSplitter() (in /usr/lib/qt3/lib/libqt-mt.so.3.3.8)
==13110==    by 0x4D62E6A: QWidget::~QWidget() (in /usr/lib/qt3/lib/libqt-mt.so.3.3.8)
==13110==    by 0x4E20D42: QMainWindow::~QMainWindow() (in /usr/lib/qt3/lib/libqt-mt.so.3.3.8)
==13110==    by 0x465875D: KMainWindow::~KMainWindow() (kmainwindow.cpp:322)
==13110==    by 0x808D462: KonversationMainWindow::~KonversationMainWindow() (konversationmainwindow.cpp:325)
==13110==    by 0x4D2A1BA: QObject::event(QEvent*) (in /usr/lib/qt3/lib/libqt-mt.so.3.3.8)
==13110==    by 0x4D635CB: QWidget::event(QEvent*) (in /usr/lib/qt3/lib/libqt-mt.so.3.3.8)
==13110==    by 0x4E1C101: QMainWindow::event(QEvent*) (in /usr/lib/qt3/lib/libqt-mt.so.3.3.8)
==13110==    by 0x808CCEA: KonversationMainWindow::event(QEvent*) (konversationmainwindow.cpp:433)
==13110==    by 0x4CCC0AB: QApplication::internalNotify(QObject*, QEvent*) (in /usr/lib/qt3/lib/libqt-mt.so.3.3.8)
==13110==    by 0x4CCCE62: QApplication::notify(QObject*, QEvent*) (in /usr/lib/qt3/lib/libqt-mt.so.3.3.8)
==13110==    by 0x4918A61: KApplication::notify(QObject*, QEvent*) (kapplication.cpp:552)
==13110==    by 0x4CCD970: QApplication::sendPostedEvents(QObject*, int) (in /usr/lib/qt3/lib/libqt-mt.so.3.3.8)
==13110==    by 0x4CE2CBE: QEventLoop::enterLoop() (in /usr/lib/qt3/lib/libqt-mt.so.3.3.8)
==13110==    by 0x4CE2AC5: QEventLoop::exec() (in /usr/lib/qt3/lib/libqt-mt.so.3.3.8)
==13110==    by 0x4CCBC1E: QApplication::exec() (in /usr/lib/qt3/lib/libqt-mt.so.3.3.8)
==13110==    by 0x8126EEF: main (main.cpp:112)
==13110==  Address 0x6406458 is 16 bytes inside a block of size 24 free'd
==13110==    at 0x4022156: operator delete(void*) (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==13110==    by 0x8124812: QMapPrivate<QString, KSharedPtr<ChannelNick> >::remove(QMapIterator<QString, KSharedPtr<ChannelNick> >) (qmap.h:386)
==13110==    by 0x81248F4: QMap<QString, KSharedPtr<ChannelNick> >::remove(QMapIterator<QString, KSharedPtr<ChannelNick> >) (qmap.h:725)
==13110==    by 0x8114EC0: Server::removeJoinedChannel(QString const&) (server.cpp:2622)
==13110==    by 0x8116EF2: Server::removeChannel(Channel*) (server.cpp:2151)
==13110==    by 0x80FD7AC: Channel::~Channel() (channel.cpp:323)
==13110==    by 0x4D62E6A: QWidget::~QWidget() (in /usr/lib/qt3/lib/libqt-mt.so.3.3.8)
==13110==    by 0x4E67395: QWidgetStack::~QWidgetStack() (in /usr/lib/qt3/lib/libqt-mt.so.3.3.8)
==13110==    by 0x4D62E6A: QWidget::~QWidget() (in /usr/lib/qt3/lib/libqt-mt.so.3.3.8)
==13110==    by 0x4E51843: QTabWidget::~QTabWidget() (in /usr/lib/qt3/lib/libqt-mt.so.3.3.8)
==13110==    by 0x45FAC87: KTabWidget::~KTabWidget() (ktabwidget.cpp:75)
==13110==    by 0x4D62E6A: QWidget::~QWidget() (in /usr/lib/qt3/lib/libqt-mt.so.3.3.8)
==13110==    by 0x4E4AAF7: QSplitter::~QSplitter() (in /usr/lib/qt3/lib/libqt-mt.so.3.3.8)
==13110==    by 0x4D62E6A: QWidget::~QWidget() (in /usr/lib/qt3/lib/libqt-mt.so.3.3.8)
==13110==    by 0x4E20D42: QMainWindow::~QMainWindow() (in /usr/lib/qt3/lib/libqt-mt.so.3.3.8)
==13110==    by 0x465875D: KMainWindow::~KMainWindow() (kmainwindow.cpp:322)
==13110==    by 0x808D462: KonversationMainWindow::~KonversationMainWindow() (konversationmainwindow.cpp:325)
==13110==    by 0x4D2A1BA: QObject::event(QEvent*) (in /usr/lib/qt3/lib/libqt-mt.so.3.3.8)
==13110==    by 0x4D635CB: QWidget::event(QEvent*) (in /usr/lib/qt3/lib/libqt-mt.so.3.3.8)
==13110==    by 0x4E1C101: QMainWindow::event(QEvent*) (in /usr/lib/qt3/lib/libqt-mt.so.3.3.8)
==13110==    by 0x808CCEA: KonversationMainWindow::event(QEvent*) (konversationmainwindow.cpp:433)
==13110==    by 0x4CCC0AB: QApplication::internalNotify(QObject*, QEvent*) (in /usr/lib/qt3/lib/libqt-mt.so.3.3.8)
==13110==    by 0x4CCCE62: QApplication::notify(QObject*, QEvent*) (in /usr/lib/qt3/lib/libqt-mt.so.3.3.8)
==13110==    by 0x4918A61: KApplication::notify(QObject*, QEvent*) (kapplication.cpp:552)
==13110==    by 0x4CCD970: QApplication::sendPostedEvents(QObject*, int) (in /usr/lib/qt3/lib/libqt-mt.so.3.3.8)
==13110==    by 0x4CE2CBE: QEventLoop::enterLoop() (in /usr/lib/qt3/lib/libqt-mt.so.3.3.8)
==13110==    by 0x4CE2AC5: QEventLoop::exec() (in /usr/lib/qt3/lib/libqt-mt.so.3.3.8)
==13110==    by 0x4CCBC1E: QApplication::exec() (in /usr/lib/qt3/lib/libqt-mt.so.3.3.8)
==13110==    by 0x8126EEF: main (main.cpp:112)

More information about the Konversation-devel mailing list