166404 – Kopete hangs when AIM plugin receives text "=P"

Bug 166404 - Kopete hangs when AIM plugin receives text "=P"

Summary: Kopete hangs when AIM plugin receives text "=P"

Status:	RESOLVED FIXED

Alias:	None

Product:	kopete
Classification:	Unmaintained
Component:	general (show other bugs)
Version:	unspecified
Platform:	Compiled Sources Linux

Importance:	NOR crash
Target Milestone:	---
Assignee:	Kopete Developers

URL:
Keywords:

Depends on:
Blocks:

Reported:	2008-07-13 00:39 UTC by Drew Fisher
Modified:	2008-07-13 13:04 UTC (History)
CC List:	1 user (show)

See Also:
Latest Commit:
Version Fixed In:
Sentry Crash Report:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description Drew Fisher 2008-07-13 00:39:34 UTC

Version:           SVN r831419 (using Devel)
Installed from:    Compiled sources
Compiler:          g++ 4.2.3 (Ubuntu) 
OS:                Linux

When an AIM account is sent a message ending with (sans quotes) "=P" or =<any character>, kopete hangs and becomes unresponsive.  Try sending "Crash. =P" to reproduce.

This behavior only occurs when receiving such a message; sending similarly formatted messages works fine.

It looks like kopete is trying to interpret the text as part of an HTML attribute.

Attaching gdb to the hung kopete gives the following backtrace:

#0  0xb7da4c6c in findChar (str=0x97cefba, len=0x2a, ch={ucs = 0x3c}, from=0x29, cs=Qt::CaseSensitive) at tools/qstring.cpp:213                                                    
#1  0xb7da4e2c in qFindString (haystack0=0x97cefba, haystackLen=0x2a, from=0x29, needle0=0x8ef7552, needleLen=0x1, cs=Qt::CaseSensitive) at tools/qstring.cpp:2095                 
#2  0xb7da5130 in QString::indexOf (this=0xbfa629e4, str=@0xbfa628ac, from=0xffffffff, cs=Qt::CaseSensitive) at tools/qstring.cpp:2076                                             
#3  0xb35dabbd in AIMAccount::addQuotesAroundAttributes (this=0x8495070, message=@0xbfa629e4) at /home/kdedev/kde/src/KDE/kdenetwork/kopete/protocols/oscar/aim/aimaccount.cpp:769 
#4  0xb35dc03a in AIMAccount::sanitizedMessage (this=0x8495070, message=@0xbfa62a7c) at /home/kdedev/kde/src/KDE/kdenetwork/kopete/protocols/oscar/aim/aimaccount.cpp:282          
#5  0xb35884ec in OscarAccount::messageReceived (this=0x8495070, message=@0xbfa63148) at /home/kdedev/kde/src/KDE/kdenetwork/kopete/protocols/oscar/oscaraccount.cpp:513           
#6  0xb35db35f in AIMAccount::messageReceived (this=0x8495070, message=@0xbfa63148) at /home/kdedev/kde/src/KDE/kdenetwork/kopete/protocols/oscar/aim/aimaccount.cpp:517           
#7  0xb358acd9 in OscarAccount::qt_metacall (this=0x8495070, _c=QMetaObject::InvokeMetaMethod, _id=0x8, _a=0xbfa62d5c) at /home/kdedev/kde/build/KDE/kdenetwork/kopete/protocols/oscar/oscaraccount.moc:124                                                                                                                                                           
#8  0xb35de0e5 in AIMAccount::qt_metacall (this=0x8495070, _c=QMetaObject::InvokeMetaMethod, _id=0x22, _a=0xbfa62d5c) at /home/kdedev/kde/build/KDE/kdenetwork/kopete/protocols/oscar/aim/aimaccount.moc:140                                                                                                                                                          
#9  0xb7e7d051 in QMetaObject::activate (sender=0x858b6f0, from_signal_index=0xc, to_signal_index=0xc, argv=0xbfa62d5c) at kernel/qobject.cpp:3010                                 
#10 0xb7e7d5db in QMetaObject::activate (sender=0x858b6f0, m=0xb35644c0, local_signal_index=0x8, argv=0xbfa62d5c) at kernel/qobject.cpp:3080                                       
#11 0xb34476a4 in Client::messageReceived (this=0x858b6f0, _t1=@0xbfa63148) at /home/kdedev/kde/build/KDE/kdenetwork/kopete/protocols/oscar/liboscar/client.moc:293                
#12 0xb344c9e8 in Client::receivedMessage (this=0x858b6f0, msg=@0xbfa63148) at /home/kdedev/kde/src/KDE/kdenetwork/kopete/protocols/oscar/liboscar/client.cpp:716                  
#13 0xb344f63b in Client::qt_metacall (this=0x858b6f0, _c=QMetaObject::InvokeMetaMethod, _id=0x2c, _a=0xbfa6303c) at /home/kdedev/kde/build/KDE/kdenetwork/kopete/protocols/oscar/liboscar/client.moc:220                                                                                                                                                             
#14 0xb7e7d051 in QMetaObject::activate (sender=0x832f860, from_signal_index=0x7, to_signal_index=0x7, argv=0xbfa6303c) at kernel/qobject.cpp:3010                                 
#15 0xb7e7d5db in QMetaObject::activate (sender=0x832f860, m=0xb35656f4, local_signal_index=0x0, argv=0xbfa6303c) at kernel/qobject.cpp:3080                                       
#16 0xb34dabd0 in MessageReceiverTask::receivedMessage (this=0x832f860, _t1=@0xbfa63148) at /home/kdedev/kde/build/KDE/kdenetwork/kopete/protocols/oscar/liboscar/messagereceivertask.moc:80                                                                                                                                                                          
#17 0xb34dcf10 in MessageReceiverTask::handleType1Message (this=0x832f860) at /home/kdedev/kde/src/KDE/kdenetwork/kopete/protocols/oscar/liboscar/tasks/messagereceivertask.cpp:208
#18 0xb34dd289 in MessageReceiverTask::take (this=0x832f860, transfer=0x97e0218) at /home/kdedev/kde/src/KDE/kdenetwork/kopete/protocols/oscar/liboscar/tasks/messagereceivertask.cpp:91                                                                                                                                                                              
#19 0xb34a5764 in Task::take (this=0x849e7f0, transfer=0x97e0218) at /home/kdedev/kde/src/KDE/kdenetwork/kopete/protocols/oscar/liboscar/tasks/task.cpp:134                        
#20 0xb347c8a4 in Connection::distribute (this=0x84f8bd8, transfer=0x97e0218) at /home/kdedev/kde/src/KDE/kdenetwork/kopete/protocols/oscar/liboscar/connection.cpp:223            
#21 0xb347c979 in Connection::streamReadyRead (this=0x84f8bd8) at /home/kdedev/kde/src/KDE/kdenetwork/kopete/protocols/oscar/liboscar/connection.cpp:240                           
#22 0xb347ca56 in Connection::qt_metacall (this=0x84f8bd8, _c=QMetaObject::InvokeMetaMethod, _id=0x5, _a=0xbfa633cc) at /home/kdedev/kde/build/KDE/kdenetwork/kopete/protocols/oscar/liboscar/connection.moc:83                                                                                                                                                       
#23 0xb7e7d051 in QMetaObject::activate (sender=0x8367060, from_signal_index=0x5, to_signal_index=0x5, argv=0x0) at kernel/qobject.cpp:3010                                        
#24 0xb7e7d5db in QMetaObject::activate (sender=0x8367060, m=0xb35648e4, local_signal_index=0x1, argv=0x0) at kernel/qobject.cpp:3080                                              
#25 0xb3466cc1 in Stream::readyRead (this=0x8367060) at /home/kdedev/kde/build/KDE/kdenetwork/kopete/protocols/oscar/liboscar/stream.moc:86                                        
#26 0xb34647b9 in ClientStream::doReadyRead (this=0x8367060) at /home/kdedev/kde/src/KDE/kdenetwork/kopete/protocols/oscar/liboscar/oscarclientstream.cpp:327
#27 0xb3464b2d in ClientStream::cp_incomingData (this=0x8367060) at /home/kdedev/kde/src/KDE/kdenetwork/kopete/protocols/oscar/liboscar/oscarclientstream.cpp:258
#28 0xb3464c9c in ClientStream::qt_metacall (this=0x8367060, _c=QMetaObject::InvokeMetaMethod, _id=0x2, _a=0xbfa6352c) at /home/kdedev/kde/build/KDE/kdenetwork/kopete/protocols/oscar/liboscar/oscarclientstream.moc:84
#29 0xb7e7d051 in QMetaObject::activate (sender=0x84adddc, from_signal_index=0x5, to_signal_index=0x5, argv=0x0) at kernel/qobject.cpp:3010
#30 0xb7e7d5db in QMetaObject::activate (sender=0x84adddc, m=0xb35645e8, local_signal_index=0x1, argv=0x0) at kernel/qobject.cpp:3080
#31 0xb3454e15 in CoreProtocol::incomingData (this=0x84adddc) at /home/kdedev/kde/build/KDE/kdenetwork/kopete/protocols/oscar/liboscar/coreprotocol.moc:89
#32 0xb3455bd0 in CoreProtocol::wireToTransfer (this=0x84adddc, wire=@0x84adde4) at /home/kdedev/kde/src/KDE/kdenetwork/kopete/protocols/oscar/liboscar/coreprotocol.cpp:221
#33 0xb3455f0d in CoreProtocol::addIncomingData (this=0x84adddc, incomingBytes=@0xbfa63720) at /home/kdedev/kde/src/KDE/kdenetwork/kopete/protocols/oscar/liboscar/coreprotocol.cpp:108
#34 0xb3464805 in ClientStream::socketReadyRead (this=0x8367060) at /home/kdedev/kde/src/KDE/kdenetwork/kopete/protocols/oscar/liboscar/oscarclientstream.cpp:312
#35 0xb3464cde in ClientStream::qt_metacall (this=0x8367060, _c=QMetaObject::InvokeMetaMethod, _id=0x6, _a=0xbfa637cc) at /home/kdedev/kde/build/KDE/kdenetwork/kopete/protocols/oscar/liboscar/oscarclientstream.moc:88
#36 0xb7e7d051 in QMetaObject::activate (sender=0x8510780, from_signal_index=0x4, to_signal_index=0x4, argv=0x0) at kernel/qobject.cpp:3010
#37 0xb7e7d5db in QMetaObject::activate (sender=0x8510780, m=0xb7f7f1e8, local_signal_index=0x0, argv=0x0) at kernel/qobject.cpp:3080
#38 0xb7ec47d9 in QIODevice::readyRead (this=0x8510780) at .moc/debug-shared/moc_qiodevice.cpp:83
#39 0xb69c865c in QAbstractSocketPrivate::canReadNotification (this=0x8357f28) at socket/qabstractsocket.cpp:576
#40 0xb69cb705 in QAbstractSocketPrivate::readNotification (this=0x8357f28) at socket/qabstractsocket_p.h:79
#41 0xb69b5519 in QAbstractSocketEngine::readNotification (this=0x84f5c88) at socket/qabstractsocketengine.cpp:142
#42 0xb69b7025 in QReadNotifier::event (this=0x858d560, e=0xbfa63c88) at socket/qnativesocketengine.cpp:974
#43 0xb5e90f55 in QApplicationPrivate::notify_helper (this=0x80cb890, receiver=0x858d560, e=0xbfa63c88) at kernel/qapplication.cpp:3772
#44 0xb5e9123b in QApplication::notify (this=0xbfa63ef0, receiver=0x858d560, e=0xbfa63c88) at kernel/qapplication.cpp:3366
#45 0xb786c663 in KApplication::notify (this=0xbfa63ef0, receiver=0x858d560, event=0xbfa63c88) at /home/kdedev/kde/src/KDE/kdelibs/kdeui/kernel/kapplication.cpp:311
#46 0xb7e6524d in QCoreApplication::notifyInternal (this=0xbfa63ef0, receiver=0x858d560, event=0xbfa63c88) at kernel/qcoreapplication.cpp:587
#47 0xb7e697dd in QCoreApplication::sendEvent (receiver=0x858d560, event=0xbfa63c88) at ../../include/QtCore/../../src/corelib/kernel/qcoreapplication.h:215
#48 0xb7e9b84e in socketNotifierSourceDispatch (source=0x80cee58) at kernel/qeventdispatcher_glib.cpp:111
#49 0xb59d9bf8 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#50 0xb59dce5e in ?? () from /usr/lib/libglib-2.0.so.0
#51 0xb59dd3ac in g_main_context_iteration () from /usr/lib/libglib-2.0.so.0
#52 0xb7e9a78c in QEventDispatcherGlib::processEvents (this=0x80c5258, flags=@0xbfa63dd4) at kernel/qeventdispatcher_glib.cpp:325
#53 0xb5f4cdb0 in QGuiEventDispatcherGlib::processEvents (this=0x80c5258, flags=@0xbfa63e04) at kernel/qguieventdispatcher_glib.cpp:204
#54 0xb7e61aca in QEventLoop::processEvents (this=0xbfa63e8c, flags=@0xbfa63e44) at kernel/qeventloop.cpp:149
#55 0xb7e61d09 in QEventLoop::exec (this=0xbfa63e8c, flags=@0xbfa63e94) at kernel/qeventloop.cpp:200
#56 0xb7e65b84 in QCoreApplication::exec () at kernel/qcoreapplication.cpp:845
#57 0xb5e90c6e in QApplication::exec () at kernel/qapplication.cpp:3304
#58 0x0808cbb1 in main (argc=0x5, argv=0xbfa642d4) at /home/kdedev/kde/src/KDE/kdenetwork/kopete/kopete/main.cpp:102

Comment 1 Josh Berry 2008-07-13 01:56:17 UTC

I can confirm this on recent SVN (<24hrs).  My backtrace looks almost identical.  I suspect addQuotesAroundAttributes() is at fault here.

#0  0x00007ffe0d350b88 in QString::fromAscii_helper ()
  from /srv/kde4/lib/kde4/kopete_aim.so
#1  0x00007ffe0d354446 in QString (this=0x7fff28465bb0, ch=0x7ffe0d3817a7 "<")
    at /media/Library/KDE4/qt-copy/src/corelib/tools/qstring.h:391
#2  0x00007ffe0d363d8e in AIMAccount::addQuotesAroundAttributes (this=0x287fe80,
    message=
      {static null = {<No data fields>}, static shared_null = {ref = {_q_value = 14966}, alloc = 0, size = 0, data = 0x682b1a, clean = 0, simpletext = 0, righttoleft = 0, asciiCache = 0, capacity = 0, reserved = 0, array = {0}}, static shared_empty = {ref = {_q_value = 375}, alloc = 0, size = 0, data = 0x7ffe2024b63a, clean = 0, simpletext = 0, righttoleft = 0, asciiCache = 0, capacity = 0, reserved = 0, array = {0}}, d = 0x7fff28465cc0, static codecForCStrings = 0x0})
    at /home/des/Code/kde/kdenetwork/kopete/protocols/oscar/aim/aimaccount.cpp:769
#3  0x00007ffe0d365046 in AIMAccount::sanitizedMessage (this=0x287fe80,
    message=@0x7fff28465f10)
    at /home/des/Code/kde/kdenetwork/kopete/protocols/oscar/aim/aimaccount.cpp:282
#4  0x00007ffe0d1044b6 in OscarAccount::messageReceived (this=0x287fe80,
    message=@0x7fff28466c60)
    at /home/des/Code/kde/kdenetwork/kopete/protocols/oscar/oscaraccount.cpp:513
#5  0x00007ffe0d3644d6 in AIMAccount::messageReceived (this=0x287fe80,
    message=@0x7fff28466c60)
    at /home/des/Code/kde/kdenetwork/kopete/protocols/oscar/aim/aimaccount.cpp:517
#6  0x00007ffe0d1067f7 in OscarAccount::qt_metacall (this=0x287fe80,
    _c=QMetaObject::InvokeMetaMethod, _id=8, _a=0x7fff28466550)
    at /media/Library/KDE4/build/kdenetwork/kopete/protocols/oscar/oscaraccount.moc:124
...

The message that was passed into addQuotesAroundAttributes() was: "<BR>does it work? =P"

startReplace is 19 (the 'P') going into the loop, and replaceLength is 1.  sIndex and eIndex will be 0 and 3, respectively (start and end of the <BR> tag).

The inner loop appears to be searching until it finds a tag that ends past the end of the =.  But there is no such tag, so sIndex and eIndex both become -1 (indicating no match found), and thus eIndex never grows to be >= startReplace + replaceLength, causing the infinite loop.

This function seems rather broken, as it assumes that '='s only occur in tags (look at attrRegExp).

A better solution would be to do something like the following (this is pseudo-Perl syntax, as I'm not sure how Qt might do it):

s/(\<[^>]*\s+)([\d\w]+)=([^"/>\s]+)([^<]*\>)/$1$2="$3"$4/

And then repeatedly apply the above to the whole message until it doesn't match anymore.

Comment 2 Roman Jarosz 2008-07-13 11:34:25 UTC

SVN commit 831757 by rjarosz:

Fix bug 166404: Kopete hangs when AIM plugin receives text "=P"

BUG: 166404



 M  +7 -1      aimaccount.cpp  


WebSVN link: http://websvn.kde.org/?view=rev&revision=831757

Comment 3 Roman Jarosz 2008-07-13 11:35:37 UTC

SVN commit 831758 by rjarosz:

Backport fix for bug 166404: Kopete hangs when AIM plugin receives text "=P"

CCBUG: 166404



 M  +7 -1      aimaccount.cpp  


WebSVN link: http://websvn.kde.org/?view=rev&revision=831758

Comment 4 Roman Jarosz 2008-07-13 13:04:23 UTC

SVN commit 831800 by rjarosz:

Backport fix for bug 166404: Kopete hangs when AIM plugin receives text "=P"

CCBUG: 166404



 M  +7 -1      aimaccount.cpp  


WebSVN link: http://websvn.kde.org/?view=rev&revision=831800