[frameworks-kinit] [Bug 426387] New: klauncher crashes because accessing dangled pointers

[Ralf Habacker]

https://bugs.kde.org/show_bug.cgi?id=426387

            Bug ID: 426387
           Summary: klauncher crashes because accessing dangled pointers
           Product: frameworks-kinit
           Version: 5.65.0
          Platform: Other
                OS: Microsoft Windows
            Status: REPORTED
          Severity: crash
          Priority: NOR
         Component: general
          Assignee: fa...@kde.org
          Reporter: ralf.habac...@freenet.de
                CC: kdelibs-b...@kde.org
  Target Milestone: ---

SUMMARY

Running klauncher in combination with cross compiled kmymoney5 let klauncher5
crashes always with an segmentation fault after some time.

STEPS TO REPRODUCE
1. download portable package from
https://build.opensuse.org/package/binaries/home:rhabacker:branches:windows:mingw:win32:kmymoney5-kf565/mingw32-kmymoney5:mingw32-kmymoney5-installer/openSUSE_Leap_15.1
2. start kmymoney
3. open file

OBSERVED RESULT
After some time klauncher5 crashes at

Thread 1 received signal SIGSEGV, Segmentation fault.
0x6cb835f9 in KIO::IdleSlave::protocol (this=0x1414b90) at
/home/abuild/rpmbuild/BUILD/kio-5.65.0/src/core/idleslave.cpp:152
152         return d->mProtocol;
(gdb) bt
#0  0x6cb835f9 in KIO::IdleSlave::protocol (this=this@entry=0x1414b90) at
/home/abuild/rpmbuild/BUILD/kio-5.65.0/src/core/idleslave.cpp:152
#1  0x004028cf in KLauncher::idleTimeout (this=this@entry=0x13f96a0) at
/usr/i686-w64-mingw32/sys-root/mingw/include/qt5/QtCore/qstring.h:95
#2  0x0040a07a in KLauncher::qt_static_metacall (_o=_o@entry=0x13f96a0,
_id=_id@entry=7, _a=_a@entry=0x28dba8, _c=QMetaObject::InvokeMetaMethod)
    at
/home/abuild/rpmbuild/BUILD/kinit-5.65.0/build/src/klauncher/kdeinit_klauncher_autogen/EWIEGA46WW/moc_klauncher.cpp:117
#3  0x0040a0b0 in KLauncher::qt_static_metacall (_o=0x13f96a0,
_c=QMetaObject::InvokeMetaMethod, _id=7, _a=0x28dba8)
    at
/home/abuild/rpmbuild/BUILD/kinit-5.65.0/build/src/klauncher/kdeinit_klauncher_autogen/EWIEGA46WW/moc_klauncher.cpp:106
#4  0x6e3ef32a in libQt5Core!_ZN11QMetaObject8activateEP7QObjectiiPPv () from
F:\Downloads\kmymoney\kmymoney5-5.1+git.2a911c86b\bin\libQt5Core.dll
#5  0x6e3fd4a8 in libQt5Core!_ZN6QTimer10timerEventEP11QTimerEvent () from
F:\Downloads\kmymoney\kmymoney5-5.1+git.2a911c86b\bin\libQt5Core.dll

(gdb) p d
$1 = {
  d = 0xfeeefeee
}

EXPECTED RESULT
no crash


SOFTWARE/OS VERSIONS
Windows: 10
KDE Frameworks Version: 5.65.0
Qt Version: 5.11

ADDITIONAL INFORMATIONS
According to
https://en.wikipedia.org/wiki/Magic_number_(programming)#Debug_values does the
mentioned pointer indicate accessing already free'd memory.

At
https://invent.kde.org/frameworks/kinit/-/blob/master/src/klauncher/klauncher.cpp#L116
KLauncher::idleTime() is set as slot for a timer event, which accesses the list
of slaves at
https://invent.kde.org/frameworks/kinit/-/blob/master/src/klauncher/klauncher.cpp#L1130.
In the crash case the referenced list contains dangled pointers because the
loop is entered. The list itself, which is defined at
https://invent.kde.org/frameworks/kinit/-/blob/master/src/klauncher/klauncher.h#L218,
is not guarded against dangled pointers.

Changing this definition to  

   QList<QPointer<IdleSlave>> mSlaveList;

or similar would fix that issue for my opinion.

-- 
You are receiving this mail because:
You are watching all bug changes.