Version: (using KDE KDE 3.5.4) Installed from: Fedora RPMs Compiler: gcc-4.1.1-1.fc5 OS: Linux A kmail crasher was posted to full-disclosure a few days ago: http://marc.theaimsgroup.com/?t=116018206400001&r=1&w=2 That thread will eventually lead to this reproducer: http://silenthack.co.uk/nnp/exploits/kmail/imgCrash The HTML in that file <html> <IMG SRC=file:"" /> </html> crashes (SIGABRT) both kmail and konqueror, which makes this issue look like a khtml problem. I'm not able to properly debug this issue as I'm not familiar enough with the KDE internals to know why this is happening.
(CC'ing security@ due to the posting, though I don't consider this to be worth such attention...) KIO gets confused when passed a URL file://"" #2 0xb6791851 in abort () from /lib/i686/libc.so.6 #3 0xb75a5f9a in kDebugBackend (nLevel=3, nArea=7006, data=0x842be40 "FATAL: BUG! _ScheduleJob(): No extraJobData for job!\n") at /code/KDE/kde3/kdelibs/kdecore/kdebug.cpp:313 #4 0xb75a63c8 in kdbgstream::flush (this=0xbfdec024) at /code/KDE/kde3/kdelibs/kdecore/kdebug.cpp:336 #5 0xb7f46905 in endl () from /opt/kde3.4/lib/libkdeinit_konqueror.so #6 0xb7e50f87 in kdbgstream::operator<< (this=0xbfdec024, f=0xb7f46860 <endl(kdbgstream&)>) at /code/KDE/kde3/kdelibs/kdecore/kdebug.h:260 #7 0xb7bb101a in KIO::Scheduler::_scheduleJob (this=0xbfdebfd8, job=0x842ae00) at /code/KDE/kde3/kdelibs/kio/kio/scheduler.cpp:223 #8 0xb7bd2856 in KIO::Scheduler::scheduleJob (job=0x842ae00) at /code/KDE/kde3/kdelibs/kio/kio/scheduler.h:139 #9 0xb6175de7 in khtml::Loader::servePendingRequests (this=0x82cc8c8) at /code/KDE/kde3/kdelibs/khtml/misc/loader.cpp:1149 #10 0xb617703b in khtml::Loader::qt_invoke (this=0x82cc8c8, _id=4, _o=0xbfdec1e0) at ../khtml/misc/loader.moc:262 #11 0xb706b5e7 in QObject::activate_signal (this=0x82cc930, clist=0x82cced8, o=0xbfdec1e0) at kernel/qobject.cpp:2392 #12 0xb706bb8c in QObject::activate_signal (this=0x82cc930, signal=2) at kernel/qobject.cpp:2361 #13 0xb72daf2f in QTimer::timeout () at ../include/qrect.h:248 #14 0xb70858fd in QTimer::event () at ../include/qstring.h:252 #15 0xb702b4bc in QApplication::internalNotify (this=0x0, receiver=0x82cc930, e=0xbfdec428) at kernel/qapplication.cpp:2635 #16 0xb702ba04 in QApplication::notify (this=0xbfdec6ec, receiver=0x82cc930, e=0xbfdec428) at kernel/qapplication.cpp:2523 #17 0xb759e529 in KApplication::notify (this=0xbfdec6ec, receiver=0x82cc930, event=0xbfdec428) at /code/KDE/kde3/kdelibs/kdecore/kapplication.cpp:550 #18 0xb701eceb in QEventLoop::activateTimers () at ../include/qrect.h:251 #19 0xb6fef996 in QEventLoop::processEvents (this=0x8084ed8, flags=4) at kernel/qeventloop_x11.cpp:389 #20 0xb7038590 in QEventLoop::enterLoop () at ../include/qshared.h:48 #21 0xb70384f5 in QEventLoop::exec () at ../include/qshared.h:48 #22 0xb70272e4 in QApplication::exec (this=0xbfdec6ec) at kernel/qapplication.cpp:2758 #23 0xb7f44e55 in kdemain () from /opt/kde3.4/lib/libkdeinit_konqueror.so #24 0xb677d75c in __libc_start_main () from /lib/i686/libc.so.6 #25 0x08048641 in _start ()
SVN commit 594522 by dfaure: Don't crash when creating a job for an invalid URL and then calling Scheduler::scheduleJob(job), which aborts if Scheduler::doJob wasn't called. So let's call doJob in all cases, even if we know right away that this is an error case. BUG: 135456 M +9 -9 job.cpp --- branches/KDE/3.5/kdelibs/kio/kio/job.cpp #594521:594522 @@ -410,15 +410,6 @@ : Job(showProgressInfo), m_slave(0), m_packedArgs(packedArgs), m_url(url), m_command(command), m_totalSize(0) { - if (!m_url.isValid()) - { - m_error = ERR_MALFORMED_URL; - m_errorText = m_url.url(); - QTimer::singleShot(0, this, SLOT(slotFinished()) ); - return; - } - - if (m_url.hasSubURL()) { KURL::List list = KURL::split(m_url); @@ -430,6 +421,15 @@ } Scheduler::doJob(this); + + if (!m_url.isValid()) + { + kdDebug() << "ERR_MALFORMED_URL" << endl; + m_error = ERR_MALFORMED_URL; + m_errorText = m_url.url(); + QTimer::singleShot(0, this, SLOT(slotFinished()) ); + return; + } } void SimpleJob::kill( bool quietly )