[krita] [Bug 439730] Stack smash with lightness brush-tip and colorsmudge.

wolthera Tue, 13 Jul 2021 09:49:46 -0700

https://bugs.kde.org/show_bug.cgi?id=439730


--- Comment #3 from wolthera <griffinval...@gmail.com> ---
Uhm, I'm not so sure about that, I just got the ASAN backtrace, and that points
at a buffer overflow in KisColorfulBrush (but if you say it should stay
closed...):


---------------------------------------------------------------------------------

=================================================================
==809821==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x6310010a0800 at pc 0x7f2e4fba6c5c bp 0x7ffd9cbb4a20 sp 0x7ffd9cbb4a10
READ of size 4 at 0x6310010a0800 thread T0
    #0 0x7f2e4fba6c5b in estimateImageAverage
/home/wolthera/krita/src/libs/brush/KisColorfulBrush.cpp:28
    #1 0x7f2e4fba7253 in KisColorfulBrush::adjustedMidPoint() const
/home/wolthera/krita/src/libs/brush/KisColorfulBrush.cpp:46
    #2 0x7f2e2b94ba43 in
KisPredefinedBrushChooser::slotUpdateResetBrushAdjustmentsButtonState()
/home/wolthera/krita/src/plugins/paintops/libpaintop/kis_predefined_brush_chooser.cpp:483
    #3 0x7f2e2b9501ed in
KisPredefinedBrushChooser::slotUpdateBrushModeButtonsState()
/home/wolthera/krita/src/plugins/paintops/libpaintop/kis_predefined_brush_chooser.cpp:455
    #4 0x7f2e2b953c6c in
KisPredefinedBrushChooser::updateBrushTip(QSharedPointer<KoResource>, bool)
/home/wolthera/krita/src/plugins/paintops/libpaintop/kis_predefined_brush_chooser.cpp:402
    #5 0x7f2e2b95fecb in
KisPredefinedBrushChooser::qt_static_metacall(QObject*, QMetaObject::Call, int,
void**)
/home/wolthera/krita/build/plugins/paintops/libpaintop/kritalibpaintop_autogen/include/moc_kis_predefined_brush_chooser.cpp:152
    #6 0x7f2e504ac31f  (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0x2eb31f)
    #7 0x7f2e4e782589 in
KisResourceItemChooser::resourceSelected(QSharedPointer<KoResource>)
/home/wolthera/krita/build/libs/resourcewidgets/kritaresourcewidgets_autogen/EWIEGA46WW/moc_KisResourceItemChooser.cpp:209
    #8 0x7f2e4e7abd88 in KisResourceItemChooser::activate(QModelIndex const&)
/home/wolthera/krita/src/libs/resourcewidgets/KisResourceItemChooser.cpp:353
    #9 0x7f2e4e78990e in KisResourceItemChooser::qt_static_metacall(QObject*,
QMetaObject::Call, int, void**)
/home/wolthera/krita/build/libs/resourcewidgets/kritaresourcewidgets_autogen/EWIEGA46WW/moc_KisResourceItemChooser.cpp:131
    #10 0x7f2e504ac31f  (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0x2eb31f)
    #11 0x7f2e4e7838cc in
KisResourceItemListView::currentResourceChanged(QModelIndex const&)
/home/wolthera/krita/build/libs/resourcewidgets/kritaresourcewidgets_autogen/EWIEGA46WW/moc_KisResourceItemListView.cpp:185
    #12 0x7f2e4e7b2235 in
KisResourceItemListView::selectionChanged(QItemSelection const&, QItemSelection
const&)
/home/wolthera/krita/src/libs/resourcewidgets/KisResourceItemListView.cpp:55
    #13 0x7f2e511c7948  (/usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5+0x3e7948)
    #14 0x7f2e504ac31f  (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0x2eb31f)
    #15 0x7f2e50426453 in QItemSelectionModel::selectionChanged(QItemSelection
const&, QItemSelection const&)
(/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0x265453)
    #16 0x7f2e5042bbaa in
QItemSelectionModel::emitSelectionChanged(QItemSelection const&, QItemSelection
const&) (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0x26abaa)
    #17 0x7f2e5042f261 in QItemSelectionModel::select(QItemSelection const&,
QFlags<QItemSelectionModel::SelectionFlag>)
(/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0x26e261)
    #18 0x7f2e51202f23 in QListView::setSelection(QRect const&,
QFlags<QItemSelectionModel::SelectionFlag>)
(/usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5+0x422f23)
    #19 0x7f2e511c5979 in QAbstractItemView::mousePressEvent(QMouseEvent*)
(/usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5+0x3e5979)
    #20 0x7f2e50f90d10 in QWidget::event(QEvent*)
(/usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5+0x1b0d10)
    #21 0x7f2e51041091 in QFrame::event(QEvent*)
(/usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5+0x261091)
    #22 0x7f2e511cb971 in QAbstractItemView::viewportEvent(QEvent*)
(/usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5+0x3eb971)
    #23 0x7f2e4e7b2fce in KisResourceItemListView::viewportEvent(QEvent*)
/home/wolthera/krita/src/libs/resourcewidgets/KisResourceItemListView.cpp:80
    #24 0x7f2e50475032 in
QCoreApplicationPrivate::sendThroughObjectEventFilters(QObject*, QEvent*)
(/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0x2b4032)
    #25 0x7f2e50f4ddb1 in QApplicationPrivate::notify_helper(QObject*, QEvent*)
(/usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5+0x16ddb1)
    #26 0x7f2e50f56e76 in QApplication::notify(QObject*, QEvent*)
(/usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5+0x176e76)
    #27 0x7f2e576a16d4 in KisApplication::notify(QObject*, QEvent*)
/home/wolthera/krita/src/libs/ui/KisApplication.cpp:711
    #28 0x7f2e504752c9 in QCoreApplication::notifyInternal2(QObject*, QEvent*)
(/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0x2b42c9)
    #29 0x7f2e50f560a6 in QApplicationPrivate::sendMouseEvent(QWidget*,
QMouseEvent*, QWidget*, QWidget*, QWidget**, QPointer<QWidget>&, bool, bool)
(/usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5+0x1760a6)
    #30 0x7f2e50fac9dd  (/usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5+0x1cc9dd)
    #31 0x7f2e50faf263  (/usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5+0x1cf263)
    #32 0x7f2e50f4ddc2 in QApplicationPrivate::notify_helper(QObject*, QEvent*)
(/usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5+0x16ddc2)
    #33 0x7f2e50f56bb7 in QApplication::notify(QObject*, QEvent*)
(/usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5+0x176bb7)
    #34 0x7f2e576a16d4 in KisApplication::notify(QObject*, QEvent*)
/home/wolthera/krita/src/libs/ui/KisApplication.cpp:711
    #35 0x7f2e504752c9 in QCoreApplication::notifyInternal2(QObject*, QEvent*)
(/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0x2b42c9)
    #36 0x7f2e508574e7 in
QGuiApplicationPrivate::processMouseEvent(QWindowSystemInterfacePrivate::MouseEvent*)
(/usr/lib/x86_64-linux-gnu/libQt5Gui.so.5+0x1404e7)
    #37 0x7f2e5085835d in
QGuiApplicationPrivate::processTabletEvent(QWindowSystemInterfacePrivate::TabletEvent*)
(/usr/lib/x86_64-linux-gnu/libQt5Gui.so.5+0x14135d)
    #38 0x7f2e50858b13 in
QGuiApplicationPrivate::processWindowSystemEvent(QWindowSystemInterfacePrivate::WindowSystemEvent*)
(/usr/lib/x86_64-linux-gnu/libQt5Gui.so.5+0x141b13)
    #39 0x7f2e508307ab in
QWindowSystemInterface::sendWindowSystemEvents(QFlags<QEventLoop::ProcessEventsFlag>)
(/usr/lib/x86_64-linux-gnu/libQt5Gui.so.5+0x1197ab)
    #40 0x7f2e44614ead  (/usr/lib/x86_64-linux-gnu/libQt5XcbQpa.so.5+0x77ead)
    #41 0x7f2e4b76217c in g_main_context_dispatch
(/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5217c)
    #42 0x7f2e4b7623ff  (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x523ff)
    #43 0x7f2e4b7624a2 in g_main_context_iteration
(/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x524a2)
    #44 0x7f2e504cfb21 in
QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>)
(/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0x30eb21)
    #45 0x7f2e50473dca in
QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>)
(/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0x2b2dca)
    #46 0x7f2e5047bf83 in QCoreApplication::exec()
(/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0x2baf83)
    #47 0x563213373687 in main /home/wolthera/krita/src/krita/main.cc:693
    #48 0x7f2e4fdf80b2 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #49 0x563213376d9d in _start
(/home/wolthera/krita/inst/bin/krita+0x2357d9d)

0x6310010a0800 is located 0 bytes to the right of 65536-byte region
[0x631001090800,0x6310010a0800)
allocated by thread T0 here:
    #0 0x7f2e5be78bc8 in malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
    #1 0x7f2e508a4b3b in QImageData::create(QSize const&, QImage::Format)
(/usr/lib/x86_64-linux-gnu/libQt5Gui.so.5+0x18db3b)

SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/wolthera/krita/src/libs/brush/KisColorfulBrush.cpp:28 in
estimateImageAverage
Shadow bytes around the buggy address:
  0x0c628020c0b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c628020c0c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c628020c0d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c628020c0e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c628020c0f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c628020c100:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c628020c110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c628020c120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c628020c130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c628020c140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c628020c150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==809821==ABORTING

-- 
You are receiving this mail because:
You are watching all bug changes.

[krita] [Bug 439730] Stack smash with lightness brush-tip and colorsmudge.

Reply via email to