Version: 1.0.1+ #3214 (using KDE KDE 3.5.8) Installed from: SuSE RPMs OS: Linux In http://websvn.kde.org/branches/extragear/kde3/network/konversation/src/server.cpp?annotate=736100#l2621, we have these lines: channel->remove(member); // If the nick is no longer listed in any channels or query list, delete it altogether. deleteNickIfUnlisted(member.data()->getNickInfo()->getNickname()); In line 2621, the iterator "member" is dereferenced and its content is removed from channel. Thus, a subsequent access of member.data() is invalid. However, in line 2623, member.data() is accessed and dereferenced, which should not happen. In my case, it does not crash, but it could crash, because deallocated memory is accessed and used. See this for further detail (note that in this case, line 2622 is where "channel->remove(member);" happens): ==13110== ==13110== Invalid read of size 4 ==13110== at 0x80AA3DC: KSharedPtr<ChannelNick>::operator->() (ksharedptr.h:164) ==13110== by 0x8114ED3: Server::removeJoinedChannel(QString const&) (server.cpp:2624) ==13110== by 0x8116EF2: Server::removeChannel(Channel*) (server.cpp:2151) ==13110== by 0x80FD7AC: Channel::~Channel() (channel.cpp:323) ==13110== by 0x4D62E6A: QWidget::~QWidget() (in /usr/lib/qt3/lib/libqt-mt.so.3.3.8) ==13110== by 0x4E67395: QWidgetStack::~QWidgetStack() (in /usr/lib/qt3/lib/libqt-mt.so.3.3.8) ==13110== by 0x4D62E6A: QWidget::~QWidget() (in /usr/lib/qt3/lib/libqt-mt.so.3.3.8) ==13110== by 0x4E51843: QTabWidget::~QTabWidget() (in /usr/lib/qt3/lib/libqt-mt.so.3.3.8) ==13110== by 0x45FAC87: KTabWidget::~KTabWidget() (ktabwidget.cpp:75) ==13110== by 0x4D62E6A: QWidget::~QWidget() (in /usr/lib/qt3/lib/libqt-mt.so.3.3.8) ==13110== by 0x4E4AAF7: QSplitter::~QSplitter() (in /usr/lib/qt3/lib/libqt-mt.so.3.3.8) ==13110== by 0x4D62E6A: QWidget::~QWidget() (in /usr/lib/qt3/lib/libqt-mt.so.3.3.8) ==13110== by 0x4E20D42: QMainWindow::~QMainWindow() (in /usr/lib/qt3/lib/libqt-mt.so.3.3.8) ==13110== by 0x465875D: KMainWindow::~KMainWindow() (kmainwindow.cpp:322) ==13110== by 0x808D462: KonversationMainWindow::~KonversationMainWindow() (konversationmainwindow.cpp:325) ==13110== by 0x4D2A1BA: QObject::event(QEvent*) (in /usr/lib/qt3/lib/libqt-mt.so.3.3.8) ==13110== by 0x4D635CB: QWidget::event(QEvent*) (in /usr/lib/qt3/lib/libqt-mt.so.3.3.8) ==13110== by 0x4E1C101: QMainWindow::event(QEvent*) (in /usr/lib/qt3/lib/libqt-mt.so.3.3.8) ==13110== by 0x808CCEA: KonversationMainWindow::event(QEvent*) (konversationmainwindow.cpp:433) ==13110== by 0x4CCC0AB: QApplication::internalNotify(QObject*, QEvent*) (in /usr/lib/qt3/lib/libqt-mt.so.3.3.8) ==13110== by 0x4CCCE62: QApplication::notify(QObject*, QEvent*) (in /usr/lib/qt3/lib/libqt-mt.so.3.3.8) ==13110== by 0x4918A61: KApplication::notify(QObject*, QEvent*) (kapplication.cpp:552) ==13110== by 0x4CCD970: QApplication::sendPostedEvents(QObject*, int) (in /usr/lib/qt3/lib/libqt-mt.so.3.3.8) ==13110== by 0x4CE2CBE: QEventLoop::enterLoop() (in /usr/lib/qt3/lib/libqt-mt.so.3.3.8) ==13110== by 0x4CE2AC5: QEventLoop::exec() (in /usr/lib/qt3/lib/libqt-mt.so.3.3.8) ==13110== by 0x4CCBC1E: QApplication::exec() (in /usr/lib/qt3/lib/libqt-mt.so.3.3.8) ==13110== by 0x8126EEF: main (main.cpp:112) ==13110== Address 0x6406458 is 16 bytes inside a block of size 24 free'd ==13110== at 0x4022156: operator delete(void*) (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so) ==13110== by 0x8124812: QMapPrivate<QString, KSharedPtr<ChannelNick> >::remove(QMapIterator<QString, KSharedPtr<ChannelNick> >) (qmap.h:386) ==13110== by 0x81248F4: QMap<QString, KSharedPtr<ChannelNick> >::remove(QMapIterator<QString, KSharedPtr<ChannelNick> >) (qmap.h:725) ==13110== by 0x8114EC0: Server::removeJoinedChannel(QString const&) (server.cpp:2622) ==13110== by 0x8116EF2: Server::removeChannel(Channel*) (server.cpp:2151) ==13110== by 0x80FD7AC: Channel::~Channel() (channel.cpp:323) ==13110== by 0x4D62E6A: QWidget::~QWidget() (in /usr/lib/qt3/lib/libqt-mt.so.3.3.8) ==13110== by 0x4E67395: QWidgetStack::~QWidgetStack() (in /usr/lib/qt3/lib/libqt-mt.so.3.3.8) ==13110== by 0x4D62E6A: QWidget::~QWidget() (in /usr/lib/qt3/lib/libqt-mt.so.3.3.8) ==13110== by 0x4E51843: QTabWidget::~QTabWidget() (in /usr/lib/qt3/lib/libqt-mt.so.3.3.8) ==13110== by 0x45FAC87: KTabWidget::~KTabWidget() (ktabwidget.cpp:75) ==13110== by 0x4D62E6A: QWidget::~QWidget() (in /usr/lib/qt3/lib/libqt-mt.so.3.3.8) ==13110== by 0x4E4AAF7: QSplitter::~QSplitter() (in /usr/lib/qt3/lib/libqt-mt.so.3.3.8) ==13110== by 0x4D62E6A: QWidget::~QWidget() (in /usr/lib/qt3/lib/libqt-mt.so.3.3.8) ==13110== by 0x4E20D42: QMainWindow::~QMainWindow() (in /usr/lib/qt3/lib/libqt-mt.so.3.3.8) ==13110== by 0x465875D: KMainWindow::~KMainWindow() (kmainwindow.cpp:322) ==13110== by 0x808D462: KonversationMainWindow::~KonversationMainWindow() (konversationmainwindow.cpp:325) ==13110== by 0x4D2A1BA: QObject::event(QEvent*) (in /usr/lib/qt3/lib/libqt-mt.so.3.3.8) ==13110== by 0x4D635CB: QWidget::event(QEvent*) (in /usr/lib/qt3/lib/libqt-mt.so.3.3.8) ==13110== by 0x4E1C101: QMainWindow::event(QEvent*) (in /usr/lib/qt3/lib/libqt-mt.so.3.3.8) ==13110== by 0x808CCEA: KonversationMainWindow::event(QEvent*) (konversationmainwindow.cpp:433) ==13110== by 0x4CCC0AB: QApplication::internalNotify(QObject*, QEvent*) (in /usr/lib/qt3/lib/libqt-mt.so.3.3.8) ==13110== by 0x4CCCE62: QApplication::notify(QObject*, QEvent*) (in /usr/lib/qt3/lib/libqt-mt.so.3.3.8) ==13110== by 0x4918A61: KApplication::notify(QObject*, QEvent*) (kapplication.cpp:552) ==13110== by 0x4CCD970: QApplication::sendPostedEvents(QObject*, int) (in /usr/lib/qt3/lib/libqt-mt.so.3.3.8) ==13110== by 0x4CE2CBE: QEventLoop::enterLoop() (in /usr/lib/qt3/lib/libqt-mt.so.3.3.8) ==13110== by 0x4CE2AC5: QEventLoop::exec() (in /usr/lib/qt3/lib/libqt-mt.so.3.3.8) ==13110== by 0x4CCBC1E: QApplication::exec() (in /usr/lib/qt3/lib/libqt-mt.so.3.3.8) ==13110== by 0x8126EEF: main (main.cpp:112)
SVN commit 737988 by hein: Revert the bogus r690919 - the method called lower-cases the nickname anyway, and it introduces a potential crash. BUG:152251 M +1 -1 server.cpp WebSVN link: http://websvn.kde.org/?view=rev&revision=737988