Summary: | crash pasting text via Ctrl-V | ||
---|---|---|---|
Product: | [Applications] kate | Reporter: | Vadym Krevs <vkrevs> |
Component: | indentation | Assignee: | KWrite Developers <kwrite-bugs-null> |
Status: | RESOLVED FIXED | ||
Severity: | crash | CC: | esigra, stefan.nikolaus |
Priority: | NOR | ||
Version: | unspecified | ||
Target Milestone: | --- | ||
Platform: | unspecified | ||
OS: | Linux | ||
Latest Commit: | Version Fixed In: | ||
Sentry Crash Report: | |||
Attachments: | Potential fix |
Description
Vadym Krevs
2006-06-21 17:19:19 UTC
Trivial to reproduce. Save the following as a cpp file. Then start KDevelop, close any open projects, File->Open and open the created file. Select everything from line 16 ("if (!blah)") until the end ("break;"), hit Ctrl-C, then move the cursor to the first line after the comments and hit Ctrl-V. // // C++ Implementation: eeee // // Description: // // // // Copyright: See COPYING file that comes with this distribution // // if (foo) else bar; if (!blah) message(0, _TEXT("MESSAGE CODE 1"), _TEXT("Error: "), 0, host); else message(0, _TEXT("MESSAGE CODE 2"), _TEXT("Error: "), 0, user, host); break; Another KATE bug Hmm, Kate itself does not crash on the sample case. Moreover, Kdevelop seems to crash far more frequently than Kate during basic editing operations. Some output from valgrind - hope this helps. ==13389== Invalid read of size 2 ==13389== at 0x134DF333: KateTextLine::stringAtPos(unsigned, QString const&) const (katetextline.cpp:191) ==13389== by 0x1355D136: KateCSmartIndent::calcContinue(KateDocCursor&, KateDocCursor&) (kateautoindent.cpp:894) ==13389== by 0x1355E024: KateCSmartIndent::calcIndent(KateDocCursor&, bool) (kateautoindent.cpp:778) ==13389== by 0x1355EB3B: KateCSmartIndent::processLine(KateDocCursor&) (kateautoindent.cpp:502) ==13389== by 0x134F3C86: KateCSmartIndent::processSection(KateDocCursor const&, KateDocCursor const&) (kateautoindent.cpp:531) ==13389== by 0x135812C9: KateDocument::paste(KateView*) (katedocument.cpp:3186) ==13389== by 0x135A40F2: KateView::paste() (kateview.h:86) ==13389== by 0x1358C076: KateView::qt_invoke(int, QUObject*) (kateview.moc:707) ==13389== by 0x6002A8B: QObject::activate_signal(QConnectionList*, QUObject*) (qobject.cpp:2356) ==13389== by 0x60037A2: QObject::activate_signal(int) (qobject.cpp:2325) ==13389== by 0x551B7E7: KPasteTextAction::slotActivated() (kactionclasses.cpp:2371) ==13389== by 0x55C030B: KPasteTextAction::qt_invoke(int, QUObject*) (kactionclasses.moc:1535) ==13389== Address 0x2138D6D5E is not stack'd, malloc'd or (recently) free'd KCrash: Application 'kdevelop' crashing... ==13389== The only part of the stack trace that references code inside KDevelop is frame #36 - the main() function(!). I guess it's possible that the different ways the Kate view is embedded can have something to do with the different results in KDevelop and Kate (or maybe something else entirely) Created attachment 16742 [details]
Potential fix
This seems to be the proper fix, could someone verify?
*** Bug 129263 has been marked as a duplicate of this bug. *** Confirmed with Kate. The patch in #6 fixes this. Also a crash, which occurs when entering a doxygen comment: '/**' + <RETURN> But the 'duplicate' bug 129263 is NOT fixed with it alone. The attached patch in 129263 does. SVN commit 553693 by kling: Fixed a buffer overrun in stringAtPos() introduced in revision 549977. BUG: 129580 M +3 -2 katetextline.cpp --- branches/KDE/3.5/kdelibs/kate/part/katetextline.cpp #553692:553693 @@ -179,15 +179,16 @@ bool KateTextLine::stringAtPos(uint pos, const QString& match) const { + const uint len = m_text.length(); const uint matchlen = match.length(); - if ((pos+matchlen) > m_text.length()) + if ((pos+matchlen) > len) return false; const QChar *unicode = m_text.unicode(); const QChar *matchUnicode = match.unicode(); - for (uint i=0; i < matchlen; i++) + for (uint i=0; i < matchlen && i < len; i++) if (unicode[i+pos] != matchUnicode[i]) return false; SVN commit 554328 by dhaumann: * (pos > len) in case the uint pos was assigned a signed -1, pos+matchlen can overflow again which (pos+matchlen > len) does not catch; see bugs #129263 and #129580 The assert will probably catch when -1 was casted to uint (which should of course not happen anymore). CCBUG: 129580 M +5 -1 katetextline.cpp --- branches/KDE/3.5/kdelibs/kate/part/katetextline.cpp #554327:554328 @@ -185,10 +185,14 @@ if ((pos+matchlen) > len) return false; + // (pos > len) in case the uint pos was assigned a signed -1, pos+matchlen can + // overflow again which (pos+matchlen > len) does not catch; see bugs #129263 and #129580 + Q_ASSERT(pos < len); + const QChar *unicode = m_text.unicode(); const QChar *matchUnicode = match.unicode(); - for (uint i=0; i < matchlen && i < len; i++) + for (uint i=0; i < matchlen; i++) if (unicode[i+pos] != matchUnicode[i]) return false; Just for info, also fixed in trunk. |