Version: (using KDE Devel) Installed from: Compiled sources Compiler: gcc version 3.2.3 20030422 (Gentoo Linux 1.4 3.2.3-r1, propolice) OS: Linux - kuickshow crashes when trying to open a certain PNG (I'll attach it.) - the thumbnail in konqi's file manager mode is created alright - the meta data popup crashes though, as soon as the mouse touches the file, and takes konqi with it. - kview works - it happens in KDE 3.1.4 as well as in this week's CVS version > file muehlgasse.png muehlgasse.png: PNG image data, 400 x 300, 8-bit colormap, non-interlaced ------------------------------ Here's what I get as debug on the command line: > kuickshow muehlgasse.png kdecore (KIconLoader): WARNING: Icon directory /usr/local/kde/share/icons/crystalsvg/ group not valid. kio (KSycoca): Trying to open ksycoca from /var/tmp/kdecache-kdedev/ksycoca kio (KTrader): KServiceTypeProfile::offers( image/png,KFilePlugin ) kio (KTrader): Returning 1 offers KFileMetainfo (plugins): png plugin kio (KTrader): KServiceTypeProfile::offers( image/png,KFilePlugin ) kio (KTrader): Returning 1 offers kio (KTrader): KServiceTypeProfile::offers( image/png,KFilePlugin ) kio (KTrader): Returning 1 offers KFileMetainfo (plugins): dimensions 400*300 KFileMetaInfo: KFileMetaInfogroup inserting a Dimensions KFileMetaInfo: KFileMetaInfogroup inserting a BitDepth KFileMetaInfo: KFileMetaInfogroup inserting a ColorMode KFileMetaInfo: KFileMetaInfogroup inserting a Compression KFileMetaInfo: KFileMetaInfogroup inserting a InterlaceMode KFileMetainfo (plugins): We found a tEXt field QGArray: Cannot allocate array with negative length QGArray: Cannot allocate array with negative length In file tools/qgarray.cpp, line 457: Out of memory ------------------------------ Here's the stacktrace: [New Thread 16384 (LWP 9693)] 0x41406137 in waitpid () from /lib/libpthread.so.0 #0 0x41406137 in waitpid () from /lib/libpthread.so.0 #1 0x408ed90e in KCrash::defaultCrashHandler(int) (sig=11) at kcrash.cpp:242 #2 0x41404fea in __pthread_sighandler () from /lib/libpthread.so.0 #3 <signal handler called> #4 0x4179bb75 in memcpy () from /lib/libc.so.6 #5 0x410a402a in QGArray::duplicate(char const*, unsigned) (this=0xbfffe260, d=0x8246cfd "", len=4294967291) at tools/qgarray.cpp:458 #6 0x40124625 in QMemArray<char>::duplicate(char const*, unsigned) ( this=0xbfffe260, a=0x8246cfd "", n=4294967291) at qmemarray.h:85 #7 0x4202f063 in KPngPlugin::readInfo(KFileMetaInfo&, unsigned) ( this=0x823a5e8, info=@0xbfffe320, what=1) at kfile_png.cpp:229 #8 0x403b1408 in KFileMetaInfo::init(KURL const&, QString const&, unsigned) ( this=0xbfffe3b0, url=@0x81fd2d0, mimeType=@0xbfffe3a0, what=1) at kfilemetainfo.cpp:328 #9 0x403b12b0 in KFileMetaInfo (this=0xbfffe3b0, url=@0x81fd2d0, mimeType=@0xbfffe3a0, what=1) at kfilemetainfo.cpp:306 #10 0x40380545 in KFileItem::metaInfo(bool, int) const (this=0x81fd2c8, autoget=true) at kfileitem.cpp:799 #11 0x4003b187 in KuickShow::slotHighlighted(KFileItem const*) ( this=0x80fefe0, fi=0x81fd2c8) at kuickshow.cpp:432 #12 0x4003e749 in KuickShow::qt_invoke(int, QUObject*) (this=0x80fefe0, _id=81, _o=0xbfffe540) at kuickshow.moc:203 #13 0x40d5b293 in QObject::activate_signal(QConnectionList*, QUObject*) ( this=0x8107298, clist=0x8159e98, o=0xbfffe540) at kernel/qobject.cpp:2357 #14 0x40401910 in KDirOperator::fileHighlighted(KFileItem const*) ( this=0x8107298, t0=0x81fd2c8) at kdiroperator.moc:345 #15 0x4040359c in KDirOperator::highlightFile(KFileItem const*) ( this=0x8107298, i=0x81fd2c8) at kdiroperator.h:731 #16 0x40401eec in KDirOperator::qt_invoke(int, QUObject*) (this=0x8107298, _id=62, _o=0xbfffe680) at kdiroperator.moc:409 #17 0x40052268 in FileWidget::qt_invoke(int, QUObject*) (this=0x8107298, _id=62, _o=0xbfffe680) at filewidget.moc:130 #18 0x40d5b159 in QObject::activate_signal(QConnectionList*, QUObject*) ( this=0x813da98, clist=0x813c2d0, o=0xbfffe680) at kernel/qobject.cpp:2333 #19 0x403e6200 in KFileViewSignaler::fileHighlighted(KFileItem const*) ( this=0x813da98, t0=0x81fd2c8) at kfileview.moc:149 #20 0x403eb60e in KFileViewSignaler::highlightFile(KFileItem const*) ( this=0x813da98, i=0x81fd2c8) at kfileview.h:56 #21 0x403e86f8 in KFileIconView::highlighted(QIconViewItem*) (this=0x812d320, item=0x823a2e8) at kfileiconview.cpp:372 #22 0x403eab2f in KFileIconView::qt_invoke(int, QUObject*) (this=0x812d320, _id=85, _o=0xbfffe7b0) at kfileiconview.moc:201 #23 0x40d5b159 in QObject::activate_signal(QConnectionList*, QUObject*) ( this=0x812d320, clist=0x811b218, o=0xbfffe7b0) at kernel/qobject.cpp:2333 #24 0x411612d4 in QIconView::selectionChanged(QIconViewItem*) (this=0x812d320, t0=0x823a2e8) at .moc/debug-shared-mt/moc_qiconview.cpp:359 #25 0x40f262e5 in QIconViewItem::setSelected(bool, bool) (this=0x823a2e8, s=true, cb=false) at iconview/qiconview.cpp:1483 #26 0x40f2f577 in QIconView::contentsMousePressEventEx(QMouseEvent*) ( this=0x812d320, e=0xbfffea40) at iconview/qiconview.cpp:4425 #27 0x40f2f03c in QIconView::contentsMousePressEvent(QMouseEvent*) ( this=0x812d320, e=0xbfffea40) at iconview/qiconview.cpp:4357 #28 0x406c48f1 in KIconView::contentsMousePressEvent(QMouseEvent*) ( this=0x812d320, e=0xbfffea40) at kiconview.cpp:307 #29 0x40e7df6a in QScrollView::viewportMousePressEvent(QMouseEvent*) ( this=0x812d320, e=0xbfffef10) at widgets/qscrollview.cpp:1729 #30 0x40e7d68c in QScrollView::eventFilter(QObject*, QEvent*) (this=0x812d320, obj=0x8143620, e=0xbfffef10) at widgets/qscrollview.cpp:1497 #31 0x40f35758 in QIconView::eventFilter(QObject*, QEvent*) (this=0x812d320, o=0x8143620, e=0xbfffef10) at iconview/qiconview.cpp:5646 #32 0x403e9954 in KFileIconView::eventFilter(QObject*, QEvent*) ( this=0x812d320, o=0x8143620, e=0xbfffef10) at kfileiconview.cpp:713 #33 0x40d58bf7 in QObject::activate_filters(QEvent*) (this=0x8143620, e=0xbfffef10) at kernel/qobject.cpp:902 #34 0x40d58a75 in QObject::event(QEvent*) (this=0x8143620, e=0xbfffef10) at kernel/qobject.cpp:735 #35 0x40d92ac9 in QWidget::event(QEvent*) (this=0x8143620, e=0xbfffef10) at kernel/qwidget.cpp:4401 #36 0x40cf8593 in QApplication::internalNotify(QObject*, QEvent*) ( this=0xbffff350, receiver=0x8143620, e=0xbfffef10) at kernel/qapplication.cpp:2582 #37 0x40cf7dbb in QApplication::notify(QObject*, QEvent*) (this=0xbffff350, receiver=0x8143620, e=0xbfffef10) at kernel/qapplication.cpp:2368 #38 0x4085e16f in KApplication::notify(QObject*, QEvent*) (this=0xbffff350, receiver=0x8143620, event=0xbfffef10) at kapplication.cpp:492 #39 0x40c8edfc in QApplication::sendSpontaneousEvent(QObject*, QEvent*) ( receiver=0x8143620, event=0xbfffef10) at qapplication.h:493 #40 0x40c88553 in QETWidget::translateMouseEvent(_XEvent const*) ( this=0x8143620, event=0xbffff250) at kernel/qapplication_x11.cpp:4347 #41 0x40c86234 in QApplication::x11ProcessEvent(_XEvent*) (this=0xbffff350, event=0xbffff250) at kernel/qapplication_x11.cpp:3525 #42 0x40c9ff15 in QEventLoop::processEvents(unsigned) (this=0x80c9490, flags=4) at kernel/qeventloop_x11.cpp:192 #43 0x40d0e221 in QEventLoop::enterLoop() (this=0x80c9490) at kernel/qeventloop.cpp:198 #44 0x40d0e13a in QEventLoop::exec() (this=0x80c9490) at kernel/qeventloop.cpp:145 #45 0x40cf8703 in QApplication::exec() (this=0xbffff350) at kernel/qapplication.cpp:2705 #46 0x40044f56 in kdemain (argc=1, argv=0xbffff4c4) at main.cpp:64 #47 0x080486da in main (argc=1, argv=0xbffff4c4) at kuickshow.la.cpp:2 #48 0x417377a7 in __libc_start_main () from /lib/libc.so.6
Created attachment 2644 [details] The png that causes the crash
Confirm a bug in the PNG metainfo plugin. (Affects a lot more than Kuickshow -- konq too)
Subject: kdegraphics/kfile-plugins/png CVS commit by orlovich: Fix range check for some extremely bogus size values. CCMAIL: 65224-done@bugs.kde.org M +8 -5 kfile_png.cpp 1.21 --- kdegraphics/kfile-plugins/png/kfile_png.cpp #1.20:1.21 @@ -220,8 +220,12 @@ bool KPngPlugin::readInfo( KFileMetaInfo // the text comes after the key, but isn't null terminated uchar* text = &CHUNK_DATA(data,index, keysize+1); - int textsize = CHUNK_SIZE(data, index)-keysize-1; + uint textsize = CHUNK_SIZE(data, index)-keysize-1; - // security check - if ( (uint)(text - data) + textsize > f.size()) + // security check, also considering overflow wraparound from the addition -- + // we may endup with a /smaller/ index if we wrap all the way around + uint firstIndex = (uint)(text - data); + uint onePastLastIndex = firstIndex + textsize; + + if ( onePastLastIndex > f.size() || onePastLastIndex <= firstIndex) goto end;