Bug 156623

Summary:	konqueror crashes in ~PNGLoader when visiting tapioca.sf.net
Product:	[Applications] konqueror	Reporter:	Matt Rogers <mattr>
Component:	khtml	Assignee:	Konqueror Developers <konq-bugs>
Status:	RESOLVED FIXED
Severity:	crash	CC:	dc, diego.ercolani, marcus, mueller, Regnaron, sniffy, twhitehead
Priority:	NOR
Version:	unspecified
Target Milestone:	---
Platform:	Compiled Sources
OS:	Linux
Latest Commit:		Version Fixed In:
Sentry Crash Report:
Attachments:	Fix

Description Matt Rogers 2008-01-25 05:30:09 UTC

Version:            (using Devel)
Installed from:    Compiled sources
Compiler:          gcc 4.1.2 20070925 (Red Hat 4.1.2-33) 
OS:                Linux

Navigate to tapioca.sourceforge.net and when attempting to load the page, Konqueror will crash. This is with r765967 from SVN trunk.

Backtrace:

Application: Konqueror (konqueror), signal SIGABRT
Using host libthread_db library "/lib/libthread_db.so.1".
[Thread debugging using libthread_db enabled]
[New Thread -1208437040 (LWP 17704)]
[KCrash handler]
#6  0x00110402 in __kernel_vsyscall ()
#7  0x05933690 in raise () from /lib/libc.so.6
#8  0x05934f91 in abort () from /lib/libc.so.6
#9  0x05977885 in free_check () from /lib/libc.so.6
#10 0x05977095 in free () from /lib/libc.so.6
#11 0x04da16f1 in operator delete () from /usr/lib/libstdc++.so.6
#12 0x04da174d in operator delete[] () from /usr/lib/libstdc++.so.6
#13 0x01e45a73 in ~PNGLoader (this=0x9f9f6d8)
    at /home/matt/Projects/KDE/Source/trunk/KDE/kdelibs/khtml/imload/decoders/pngloader.cpp:229
#14 0x01e3fa1c in khtmlImLoad::Image::processEOF (this=0x9eb1250)
    at /home/matt/Projects/KDE/Source/trunk/KDE/kdelibs/khtml/imload/image.cpp:208
#15 0x01d48f80 in khtml::CachedImage::data (this=0x9ec6958, 
    _buffer=@0x9ed20ac, eof=true)
    at /home/matt/Projects/KDE/Source/trunk/KDE/kdelibs/khtml/misc/loader.cpp:861
#16 0x01d47f3a in khtml::Loader::slotFinished (this=0x9e9ffd8, job=0x9ecafc0)
    at /home/matt/Projects/KDE/Source/trunk/KDE/kdelibs/khtml/misc/loader.cpp:1299
#17 0x01d4829c in khtml::Loader::qt_metacall (this=0x9e9ffd8, 
    _c=QMetaObject::InvokeMetaMethod, _id=3, _a=0xbff93a2c)
    at /home/matt/Projects/KDE/Build/trunk/KDE/kdelibs/khtml/loader.moc:126
#18 0x00f2030e in QMetaObject::activate (sender=0x9ecafc0, 
    from_signal_index=7, to_signal_index=7, argv=0xbff93a2c)
    at /home/matt/Projects/KDE/Source/trunk/qt-copy/src/corelib/kernel/qobject.cpp:3081
#19 0x00f2083f in QMetaObject::activate (sender=0x9ecafc0, m=0x7497a8, 
    local_signal_index=3, argv=0xbff93a2c)
    at /home/matt/Projects/KDE/Source/trunk/qt-copy/src/corelib/kernel/qobject.cpp:3140
#20 0x006397fa in KJob::result (this=0x9ecafc0, _t1=0x9ecafc0)
    at /home/matt/Projects/KDE/Build/trunk/KDE/kdelibs/kdecore/kjob.moc:185
#21 0x00639d7a in KJob::emitResult (this=0x9ecafc0)
    at /home/matt/Projects/KDE/Source/trunk/KDE/kdelibs/kdecore/jobs/kjob.cpp:290
#22 0x003e15c1 in KIO::SimpleJob::slotFinished (this=0x9ecafc0)
    at /home/matt/Projects/KDE/Source/trunk/KDE/kdelibs/kio/kio/job.cpp:491
#23 0x003e199a in KIO::TransferJob::slotFinished (this=0x9ecafc0)
    at /home/matt/Projects/KDE/Source/trunk/KDE/kdelibs/kio/kio/job.cpp:961
#24 0x003e8983 in KIO::TransferJob::qt_metacall (this=0x9ecafc0, 
    _c=QMetaObject::InvokeMetaMethod, _id=7, _a=0xbff94064)
    at /home/matt/Projects/KDE/Build/trunk/KDE/kdelibs/kio/jobclasses.moc:335
#25 0x00f2030e in QMetaObject::activate (sender=0x9eea1f0, 
    from_signal_index=8, to_signal_index=8, argv=0x0)
    at /home/matt/Projects/KDE/Source/trunk/qt-copy/src/corelib/kernel/qobject.cpp:3081
#26 0x00f2083f in QMetaObject::activate (sender=0x9eea1f0, m=0x55dc24, 
    local_signal_index=4, argv=0x0)
    at /home/matt/Projects/KDE/Source/trunk/qt-copy/src/corelib/kernel/qobject.cpp:3140
#27 0x0048c61d in KIO::SlaveInterface::finished (this=0x9eea1f0)
    at /home/matt/Projects/KDE/Build/trunk/KDE/kdelibs/kio/slaveinterface.moc:160
#28 0x0048e3d8 in KIO::SlaveInterface::dispatch (this=0x9eea1f0, _cmd=104, 
    rawdata=@0xbff94264)
    at /home/matt/Projects/KDE/Source/trunk/KDE/kdelibs/kio/kio/slaveinterface.cpp:176
#29 0x0048f097 in KIO::SlaveInterface::dispatch (this=0x9eea1f0)
    at /home/matt/Projects/KDE/Source/trunk/KDE/kdelibs/kio/kio/slaveinterface.cpp:90
#30 0x00481496 in KIO::Slave::gotInput (this=0x9eea1f0)
    at /home/matt/Projects/KDE/Source/trunk/KDE/kdelibs/kio/kio/slave.cpp:319
#31 0x004828de in KIO::Slave::qt_metacall (this=0x9eea1f0, 
    _c=QMetaObject::InvokeMetaMethod, _id=2, _a=0xbff94764)
    at /home/matt/Projects/KDE/Build/trunk/KDE/kdelibs/kio/slave.moc:74
#32 0x00f2030e in QMetaObject::activate (sender=0x9e6c658, 
    from_signal_index=4, to_signal_index=4, argv=0x0)
    at /home/matt/Projects/KDE/Source/trunk/qt-copy/src/corelib/kernel/qobject.cpp:3081
#33 0x00f2083f in QMetaObject::activate (sender=0x9e6c658, m=0x55ab20, 
    local_signal_index=0, argv=0x0)
    at /home/matt/Projects/KDE/Source/trunk/qt-copy/src/corelib/kernel/qobject.cpp:3140
#34 0x003b6cef in KIO::Connection::readyRead (this=0x9e6c658)
    at /home/matt/Projects/KDE/Build/trunk/KDE/kdelibs/kio/connection.moc:83
#35 0x003b7ccf in KIO::ConnectionPrivate::dequeue (this=0x9f0a398)
    at /home/matt/Projects/KDE/Source/trunk/KDE/kdelibs/kio/kio/connection.cpp:82
#36 0x003b8c09 in KIO::Connection::qt_metacall (this=0x9e6c658, 
    _c=QMetaObject::InvokeMetaMethod, _id=1, _a=0x9ccd428)
    at /home/matt/Projects/KDE/Build/trunk/KDE/kdelibs/kio/connection.moc:71
#37 0x00f1b488 in QMetaCallEvent::placeMetaCall (this=0x9ed5060, 
    object=0x9e6c658)
    at /home/matt/Projects/KDE/Source/trunk/qt-copy/src/corelib/kernel/qobject.cpp:536
#38 0x00f21365 in QObject::event (this=0x9e6c658, e=0x9ed5060)
    at /home/matt/Projects/KDE/Source/trunk/qt-copy/src/corelib/kernel/qobject.cpp:1122
#39 0x01101055 in QApplicationPrivate::notify_helper (this=0x9ba5210, 
    receiver=0x9e6c658, e=0x9ed5060)
    at /home/matt/Projects/KDE/Source/trunk/qt-copy/src/gui/kernel/qapplication.cpp:3556
#40 0x0110136e in QApplication::notify (this=0xbff951e4, receiver=0x9e6c658, 
    e=0x9ed5060)
    at /home/matt/Projects/KDE/Source/trunk/qt-copy/src/gui/kernel/qapplication.cpp:3115
#41 0x008f72c3 in KApplication::notify (this=0xbff951e4, receiver=0x9e6c658, 
    event=0x9ed5060)
    at /home/matt/Projects/KDE/Source/trunk/KDE/kdelibs/kdeui/kernel/kapplication.cpp:314
#42 0x00f0c74e in QCoreApplication::notifyInternal (this=0xbff951e4, 
    receiver=0x9e6c658, event=0x9ed5060)
    at /home/matt/Projects/KDE/Source/trunk/qt-copy/src/corelib/kernel/qcoreapplication.cpp:530
#43 0x00f1047d in QCoreApplication::sendEvent (receiver=0x9e6c658, 
    event=0x9ed5060)
    at ../../include/QtCore/../../../../../Source/trunk/qt-copy/src/corelib/kernel/qcoreapplication.h:200
#44 0x00f0cc70 in QCoreApplicationPrivate::sendPostedEvents (receiver=0x0, 
    event_type=0, data=0x9b98f50)
    at /home/matt/Projects/KDE/Source/trunk/qt-copy/src/corelib/kernel/qcoreapplication.cpp:1116
#45 0x00f0ce95 in QCoreApplication::sendPostedEvents (receiver=0x0, 
    event_type=-1)
    at /home/matt/Projects/KDE/Source/trunk/qt-copy/src/corelib/kernel/qcoreapplication.cpp:1001
#46 0x00f3b234 in postEventSourceDispatch (s=0x9ba76e0)
    at /home/matt/Projects/KDE/Source/trunk/qt-copy/src/corelib/kernel/qeventdispatcher_glib.cpp:207
#47 0x0676a10c in g_main_context_dispatch () from /lib/libglib-2.0.so.0
#48 0x0676d54f in ?? () from /lib/libglib-2.0.so.0
#49 0x0676dab5 in g_main_context_iteration () from /lib/libglib-2.0.so.0
#50 0x00f3a798 in QEventDispatcherGlib::processEvents (this=0x9ba4950, 
    flags=@0xbff94ff8)
    at /home/matt/Projects/KDE/Source/trunk/qt-copy/src/corelib/kernel/qeventdispatcher_glib.cpp:338
#51 0x011a9808 in QGuiEventDispatcherGlib::processEvents (this=0x9ba4950, 
    flags=@0xbff95028)
    at /home/matt/Projects/KDE/Source/trunk/qt-copy/src/gui/kernel/qguieventdispatcher_glib.cpp:191
#52 0x00f09042 in QEventLoop::processEvents (this=0xbff950bc, 
    flags=@0xbff95070)
    at /home/matt/Projects/KDE/Source/trunk/qt-copy/src/corelib/kernel/qeventloop.cpp:140
#53 0x00f091c5 in QEventLoop::exec (this=0xbff950bc, flags=@0xbff950c4)
    at /home/matt/Projects/KDE/Source/trunk/qt-copy/src/corelib/kernel/qeventloop.cpp:186
#54 0x00f0cfb6 in QCoreApplication::exec ()
    at /home/matt/Projects/KDE/Source/trunk/qt-copy/src/corelib/kernel/qcoreapplication.cpp:759
#55 0x01100bbc in QApplication::exec ()
    at /home/matt/Projects/KDE/Source/trunk/qt-copy/src/gui/kernel/qapplication.cpp:3053
#56 0x001ceef1 in kdemain (argc=2, argv=0xbff95584)
    at /home/matt/Projects/KDE/Source/trunk/KDE/kdebase/apps/konqueror/src/konqmain.cpp:218
#57 0x080487c6 in main (argc=)
    at /home/matt/Projects/KDE/Build/trunk/KDE/kdebase/apps/konqueror/src/konqueror_dummy.cpp:3
#0  0x00110402 in __kernel_vsyscall ()

Comment 1 Oliver Putz 2008-01-25 15:12:01 UTC

I can reproduce this bug (kdebase rev765071). My normal Backtraces look like the one already posted, so I'll only attach a Valgrind output for this crash. (I hope it contains some useful information, as valgrind itself seems to have run into some troubles at the end...)

==6229== Memcheck, a memory error detector.
==6229== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==6229== Using LibVEX rev 1732, a library for dynamic binary translation.
==6229== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
==6229== Using valgrind-3.2.3, a dynamic binary instrumentation framework.
==6229== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==6229== For more details, rerun with: -v
==6229== 
==6229== My PID = 6229, parent PID = 6045.  Prog and args are:
==6229==    konqueror
==6229== 
==6229== Conditional jump or move depends on uninitialised value(s)
==6229==    at 0x400A9B5: _dl_relocate_object (do-rel.h:65)
==6229==    by 0x400454C: dl_main (rtld.c:2214)
==6229==    by 0x4013C45: _dl_sysdep_start (dl-sysdep.c:239)
==6229==    by 0x400124E: _dl_start (rtld.c:327)
==6229==    by 0x40008A6: (within /lib/ld-2.6.1.so)
==6229== 
==6229== Conditional jump or move depends on uninitialised value(s)
==6229==    at 0x400A9BD: _dl_relocate_object (do-rel.h:68)
==6229==    by 0x400454C: dl_main (rtld.c:2214)
==6229==    by 0x4013C45: _dl_sysdep_start (dl-sysdep.c:239)
==6229==    by 0x400124E: _dl_start (rtld.c:327)
==6229==    by 0x40008A6: (within /lib/ld-2.6.1.so)
==6229== 
==6229== Conditional jump or move depends on uninitialised value(s)
==6229==    at 0x400B053: _dl_relocate_object (do-rel.h:104)
==6229==    by 0x400454C: dl_main (rtld.c:2214)
==6229==    by 0x4013C45: _dl_sysdep_start (dl-sysdep.c:239)
==6229==    by 0x400124E: _dl_start (rtld.c:327)
==6229==    by 0x40008A6: (within /lib/ld-2.6.1.so)
==6229== 
==6229== Conditional jump or move depends on uninitialised value(s)
==6229==    at 0x400AAF3: _dl_relocate_object (do-rel.h:117)
==6229==    by 0x400454C: dl_main (rtld.c:2214)
==6229==    by 0x4013C45: _dl_sysdep_start (dl-sysdep.c:239)
==6229==    by 0x400124E: _dl_start (rtld.c:327)
==6229==    by 0x40008A6: (within /lib/ld-2.6.1.so)
==6229== 
==6229== Conditional jump or move depends on uninitialised value(s)
==6229==    at 0x400A9B5: _dl_relocate_object (do-rel.h:65)
==6229==    by 0x4004169: dl_main (rtld.c:2284)
==6229==    by 0x4013C45: _dl_sysdep_start (dl-sysdep.c:239)
==6229==    by 0x400124E: _dl_start (rtld.c:327)
==6229==    by 0x40008A6: (within /lib/ld-2.6.1.so)
==6229== 
==6229== Conditional jump or move depends on uninitialised value(s)
==6229==    at 0x400A9BD: _dl_relocate_object (do-rel.h:68)
==6229==    by 0x4004169: dl_main (rtld.c:2284)
==6229==    by 0x4013C45: _dl_sysdep_start (dl-sysdep.c:239)
==6229==    by 0x400124E: _dl_start (rtld.c:327)
==6229==    by 0x40008A6: (within /lib/ld-2.6.1.so)
==6229== 
==6229== Conditional jump or move depends on uninitialised value(s)
==6229==    at 0x400AAF3: _dl_relocate_object (do-rel.h:117)
==6229==    by 0x4004169: dl_main (rtld.c:2284)
==6229==    by 0x4013C45: _dl_sysdep_start (dl-sysdep.c:239)
==6229==    by 0x400124E: _dl_start (rtld.c:327)
==6229==    by 0x40008A6: (within /lib/ld-2.6.1.so)
==6229== 
==6229== Source and destination overlap in mempcpy(0x7AC32E0, 0x7AC32E0, 21)
==6229==    at 0x4021E3A: (within /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==6229==    by 0x4022781: mempcpy (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==6229==    by 0x58E51D2: _IO_default_xsputn (genops.c:463)
==6229==    by 0x58C021E: vfprintf (vfprintf.c:1568)
==6229==    by 0x58D9CBA: vsprintf (iovsprintf.c:43)
==6229==    by 0x58C5ADD: sprintf (sprintf.c:34)
==6229==    by 0x4970942: parse_fontdata (omGeneric.c:618)
==6229==    by 0x4970AE2: parse_vw (omGeneric.c:1095)
==6229==    by 0x4971301: create_oc (omGeneric.c:1233)
==6229==    by 0x4930C0A: XCreateOC (OCWrap.c:53)
==6229==    by 0x49270A9: XCreateFontSet (FSWrap.c:185)
==6229==    by 0x551969D: getFontSet(QFont const&) (qximinputcontext_x11.cpp:319)
==6229== 
==6229== Conditional jump or move depends on uninitialised value(s)
==6229==    at 0x4B68272: (within /lib/libz.so.1.2.3)
==6229== 
==6229== Conditional jump or move depends on uninitialised value(s)
==6229==    at 0x4B68212: (within /lib/libz.so.1.2.3)
==6229== 
==6229== Invalid write of size 1
==6229==    at 0x40222A5: memcpy (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==6229==    by 0x59BA316: (within /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x59CA067: png_progressive_combine_row (in /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x91DBAA1: khtmlImLoad::PNGLoader::haveRow(unsigned, int, unsigned char*) (pngloader.cpp:196)
==6229==    by 0x91DBB14: khtmlImLoad::PNGLoader::dispHaveRow(png_struct_def*, unsigned char*, unsigned long, int) (pngloader.cpp:71)
==6229==    by 0x59C9FC9: (within /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x59CA72F: (within /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x59CABC6: (within /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x59CAD57: (within /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x59CBB52: (within /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x59CBBBA: png_process_data (in /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x91DB8FA: khtmlImLoad::PNGLoader::processData(unsigned char*, int) (pngloader.cpp:254)
==6229==  Address 0x5C045E3 is not stack'd, malloc'd or (recently) free'd
==6229== 
==6229== Invalid write of size 1
==6229==    at 0x40222AB: memcpy (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==6229==    by 0x59BA316: (within /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x59CA067: png_progressive_combine_row (in /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x91DBAA1: khtmlImLoad::PNGLoader::haveRow(unsigned, int, unsigned char*) (pngloader.cpp:196)
==6229==    by 0x91DBB14: khtmlImLoad::PNGLoader::dispHaveRow(png_struct_def*, unsigned char*, unsigned long, int) (pngloader.cpp:71)
==6229==    by 0x59C9FC9: (within /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x59CA72F: (within /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x59CABC6: (within /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x59CAD57: (within /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x59CBB52: (within /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x59CBBBA: png_process_data (in /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x91DB8FA: khtmlImLoad::PNGLoader::processData(unsigned char*, int) (pngloader.cpp:254)
==6229==  Address 0x5C045E2 is not stack'd, malloc'd or (recently) free'd
==6229== 
==6229== Invalid write of size 1
==6229==    at 0x40222B1: memcpy (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==6229==    by 0x59BA316: (within /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x59CA067: png_progressive_combine_row (in /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x91DBAA1: khtmlImLoad::PNGLoader::haveRow(unsigned, int, unsigned char*) (pngloader.cpp:196)
==6229==    by 0x91DBB14: khtmlImLoad::PNGLoader::dispHaveRow(png_struct_def*, unsigned char*, unsigned long, int) (pngloader.cpp:71)
==6229==    by 0x59C9FC9: (within /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x59CA72F: (within /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x59CABC6: (within /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x59CAD57: (within /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x59CBB52: (within /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x59CBBBA: png_process_data (in /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x91DB8FA: khtmlImLoad::PNGLoader::processData(unsigned char*, int) (pngloader.cpp:254)
==6229==  Address 0x5C045E1 is not stack'd, malloc'd or (recently) free'd
==6229== 
==6229== Invalid write of size 1
==6229==    at 0x40222B6: memcpy (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==6229==    by 0x59BA316: (within /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x59CA067: png_progressive_combine_row (in /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x91DBAA1: khtmlImLoad::PNGLoader::haveRow(unsigned, int, unsigned char*) (pngloader.cpp:196)
==6229==    by 0x91DBB14: khtmlImLoad::PNGLoader::dispHaveRow(png_struct_def*, unsigned char*, unsigned long, int) (pngloader.cpp:71)
==6229==    by 0x59C9FC9: (within /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x59CA72F: (within /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x59CABC6: (within /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x59CAD57: (within /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x59CBB52: (within /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x59CBBBA: png_process_data (in /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x91DB8FA: khtmlImLoad::PNGLoader::processData(unsigned char*, int) (pngloader.cpp:254)
==6229==  Address 0x5C045E0 is not stack'd, malloc'd or (recently) free'd
==6229== 
==6229== Invalid write of size 1
==6229==    at 0x40222DE: memcpy (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==6229==    by 0x59BA595: (within /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x59CA067: png_progressive_combine_row (in /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x91DBAA1: khtmlImLoad::PNGLoader::haveRow(unsigned, int, unsigned char*) (pngloader.cpp:196)
==6229==    by 0x91DBB14: khtmlImLoad::PNGLoader::dispHaveRow(png_struct_def*, unsigned char*, unsigned long, int) (pngloader.cpp:71)
==6229==    by 0x59C9FC9: (within /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x59CA7EB: (within /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x59CABC6: (within /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x59CAD57: (within /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x59CBB52: (within /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x59CBBBA: png_process_data (in /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x91DB8FA: khtmlImLoad::PNGLoader::processData(unsigned char*, int) (pngloader.cpp:254)
==6229==  Address 0x5C045CB is 1 bytes after a block of size 26 alloc'd
==6229==    at 0x402171D: operator new[](unsigned) (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==6229==    by 0x91DBCDE: khtmlImLoad::PNGLoader::haveInfo() (pngloader.cpp:176)
==6229==    by 0x91DBD7F: khtmlImLoad::PNGLoader::dispHaveInfo(png_struct_def*, png_info_struct*) (pngloader.cpp:66)
==6229==    by 0x59C9F7D: (within /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x59CB641: (within /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x59CBB44: (within /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x59CBBBA: png_process_data (in /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x91DB8FA: khtmlImLoad::PNGLoader::processData(unsigned char*, int) (pngloader.cpp:254)
==6229==    by 0x91D6FCF: khtmlImLoad::Image::processData(unsigned char*, int) (image.cpp:150)
==6229==    by 0x90FF89A: khtml::CachedImage::data(QBuffer&, bool) (loader.cpp:856)
==6229==    by 0x90FD200: khtml::Loader::slotData(KIO::Job*, QByteArray const&) (loader.cpp:1360)
==6229==    by 0x90FF090: khtml::Loader::qt_metacall(QMetaObject::Call, int, void**) (loader.moc:127)
==6229== 
==6229== Invalid write of size 1
==6229==    at 0x40222FF: memcpy (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==6229==    by 0x59BA316: (within /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x59CA067: png_progressive_combine_row (in /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x91DBAA1: khtmlImLoad::PNGLoader::haveRow(unsigned, int, unsigned char*) (pngloader.cpp:196)
==6229==    by 0x91DBB14: khtmlImLoad::PNGLoader::dispHaveRow(png_struct_def*, unsigned char*, unsigned long, int) (pngloader.cpp:71)
==6229==    by 0x59C9FC9: (within /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x59CA72F: (within /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x59CABC6: (within /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x59CAD57: (within /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x59CBB52: (within /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x59CBBBA: png_process_data (in /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x91DB8FA: khtmlImLoad::PNGLoader::processData(unsigned char*, int) (pngloader.cpp:254)
==6229==  Address 0x5E09B89 is 0 bytes after a block of size 81 alloc'd
==6229==    at 0x402171D: operator new[](unsigned) (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==6229==    by 0x91DBCDE: khtmlImLoad::PNGLoader::haveInfo() (pngloader.cpp:176)
==6229==    by 0x91DBD7F: khtmlImLoad::PNGLoader::dispHaveInfo(png_struct_def*, png_info_struct*) (pngloader.cpp:66)
==6229==    by 0x59C9F7D: (within /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x59CB641: (within /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x59CBB44: (within /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x59CBBBA: png_process_data (in /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x91DB8FA: khtmlImLoad::PNGLoader::processData(unsigned char*, int) (pngloader.cpp:254)
==6229==    by 0x91D6FCF: khtmlImLoad::Image::processData(unsigned char*, int) (image.cpp:150)
==6229==    by 0x90FF89A: khtml::CachedImage::data(QBuffer&, bool) (loader.cpp:856)
==6229==    by 0x90FD200: khtml::Loader::slotData(KIO::Job*, QByteArray const&) (loader.cpp:1360)
==6229==    by 0x90FF090: khtml::Loader::qt_metacall(QMetaObject::Call, int, void**) (loader.moc:127)
==6229== 
==6229== Invalid write of size 1
==6229==    at 0x4022305: memcpy (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==6229==    by 0x59BA316: (within /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x59CA067: png_progressive_combine_row (in /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x91DBAA1: khtmlImLoad::PNGLoader::haveRow(unsigned, int, unsigned char*) (pngloader.cpp:196)
==6229==    by 0x91DBB14: khtmlImLoad::PNGLoader::dispHaveRow(png_struct_def*, unsigned char*, unsigned long, int) (pngloader.cpp:71)
==6229==    by 0x59C9FC9: (within /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x59CA72F: (within /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x59CABC6: (within /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x59CAD57: (within /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x59CBB52: (within /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x59CBBBA: png_process_data (in /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x91DB8FA: khtmlImLoad::PNGLoader::processData(unsigned char*, int) (pngloader.cpp:254)
==6229==  Address 0x5E09B8A is 1 bytes after a block of size 81 alloc'd
==6229==    at 0x402171D: operator new[](unsigned) (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==6229==    by 0x91DBCDE: khtmlImLoad::PNGLoader::haveInfo() (pngloader.cpp:176)
==6229==    by 0x91DBD7F: khtmlImLoad::PNGLoader::dispHaveInfo(png_struct_def*, png_info_struct*) (pngloader.cpp:66)
==6229==    by 0x59C9F7D: (within /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x59CB641: (within /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x59CBB44: (within /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x59CBBBA: png_process_data (in /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x91DB8FA: khtmlImLoad::PNGLoader::processData(unsigned char*, int) (pngloader.cpp:254)
==6229==    by 0x91D6FCF: khtmlImLoad::Image::processData(unsigned char*, int) (image.cpp:150)
==6229==    by 0x90FF89A: khtml::CachedImage::data(QBuffer&, bool) (loader.cpp:856)
==6229==    by 0x90FD200: khtml::Loader::slotData(KIO::Job*, QByteArray const&) (loader.cpp:1360)
==6229==    by 0x90FF090: khtml::Loader::qt_metacall(QMetaObject::Call, int, void**) (loader.moc:127)
==6229== 
==6229== Invalid write of size 1
==6229==    at 0x402230E: memcpy (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==6229==    by 0x59BA316: (within /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x59CA067: png_progressive_combine_row (in /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x91DBAA1: khtmlImLoad::PNGLoader::haveRow(unsigned, int, unsigned char*) (pngloader.cpp:196)
==6229==    by 0x91DBB14: khtmlImLoad::PNGLoader::dispHaveRow(png_struct_def*, unsigned char*, unsigned long, int) (pngloader.cpp:71)
==6229==    by 0x59C9FC9: (within /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x59CA72F: (within /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x59CABC6: (within /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x59CAD57: (within /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x59CBB52: (within /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x59CBBBA: png_process_data (in /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x91DB8FA: khtmlImLoad::PNGLoader::processData(unsigned char*, int) (pngloader.cpp:254)
==6229==  Address 0x5E09B8B is 2 bytes after a block of size 81 alloc'd
==6229==    at 0x402171D: operator new[](unsigned) (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==6229==    by 0x91DBCDE: khtmlImLoad::PNGLoader::haveInfo() (pngloader.cpp:176)
==6229==    by 0x91DBD7F: khtmlImLoad::PNGLoader::dispHaveInfo(png_struct_def*, png_info_struct*) (pngloader.cpp:66)
==6229==    by 0x59C9F7D: (within /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x59CB641: (within /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x59CBB44: (within /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x59CBBBA: png_process_data (in /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x91DB8FA: khtmlImLoad::PNGLoader::processData(unsigned char*, int) (pngloader.cpp:254)
==6229==    by 0x91D6FCF: khtmlImLoad::Image::processData(unsigned char*, int) (image.cpp:150)
==6229==    by 0x90FF89A: khtml::CachedImage::data(QBuffer&, bool) (loader.cpp:856)
==6229==    by 0x90FD200: khtml::Loader::slotData(KIO::Job*, QByteArray const&) (loader.cpp:1360)
==6229==    by 0x90FF090: khtml::Loader::qt_metacall(QMetaObject::Call, int, void**) (loader.moc:127)
==6229== 
==6229== Invalid write of size 1
==6229==    at 0x40222FA: memcpy (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==6229==    by 0x59BA316: (within /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x59CA067: png_progressive_combine_row (in /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x91DBAA1: khtmlImLoad::PNGLoader::haveRow(unsigned, int, unsigned char*) (pngloader.cpp:196)
==6229==    by 0x91DBB14: khtmlImLoad::PNGLoader::dispHaveRow(png_struct_def*, unsigned char*, unsigned long, int) (pngloader.cpp:71)
==6229==    by 0x59C9FC9: (within /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x59CA72F: (within /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x59CABC6: (within /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x59CAD57: (within /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x59CBB52: (within /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x59CBBBA: png_process_data (in /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x91DB8FA: khtmlImLoad::PNGLoader::processData(unsigned char*, int) (pngloader.cpp:254)
==6229==  Address 0x5E09B8C is 3 bytes after a block of size 81 alloc'd
==6229==    at 0x402171D: operator new[](unsigned) (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==6229==    by 0x91DBCDE: khtmlImLoad::PNGLoader::haveInfo() (pngloader.cpp:176)
==6229==    by 0x91DBD7F: khtmlImLoad::PNGLoader::dispHaveInfo(png_struct_def*, png_info_struct*) (pngloader.cpp:66)
==6229==    by 0x59C9F7D: (within /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x59CB641: (within /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x59CBB44: (within /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x59CBBBA: png_process_data (in /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x91DB8FA: khtmlImLoad::PNGLoader::processData(unsigned char*, int) (pngloader.cpp:254)
==6229==    by 0x91D6FCF: khtmlImLoad::Image::processData(unsigned char*, int) (image.cpp:150)
==6229==    by 0x90FF89A: khtml::CachedImage::data(QBuffer&, bool) (loader.cpp:856)
==6229==    by 0x90FD200: khtml::Loader::slotData(KIO::Job*, QByteArray const&) (loader.cpp:1360)
==6229==    by 0x90FF090: khtml::Loader::qt_metacall(QMetaObject::Call, int, void**) (loader.moc:127)
==6229== 
==6229== Invalid write of size 1
==6229==    at 0x402231E: memcpy (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==6229==    by 0x59BA595: (within /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x59CA067: png_progressive_combine_row (in /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x91DBAA1: khtmlImLoad::PNGLoader::haveRow(unsigned, int, unsigned char*) (pngloader.cpp:196)
==6229==    by 0x91DBB14: khtmlImLoad::PNGLoader::dispHaveRow(png_struct_def*, unsigned char*, unsigned long, int) (pngloader.cpp:71)
==6229==    by 0x59C9FC9: (within /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x59CA7EB: (within /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x59CABC6: (within /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x59CAD57: (within /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x59CBB52: (within /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x59CBBBA: png_process_data (in /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x91DB8FA: khtmlImLoad::PNGLoader::processData(unsigned char*, int) (pngloader.cpp:254)
==6229==  Address 0x5E09B90 is 7 bytes after a block of size 81 alloc'd
==6229==    at 0x402171D: operator new[](unsigned) (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==6229==    by 0x91DBCDE: khtmlImLoad::PNGLoader::haveInfo() (pngloader.cpp:176)
==6229==    by 0x91DBD7F: khtmlImLoad::PNGLoader::dispHaveInfo(png_struct_def*, png_info_struct*) (pngloader.cpp:66)
==6229==    by 0x59C9F7D: (within /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x59CB641: (within /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x59CBB44: (within /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x59CBBBA: png_process_data (in /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x91DB8FA: khtmlImLoad::PNGLoader::processData(unsigned char*, int) (pngloader.cpp:254)
==6229==    by 0x91D6FCF: khtmlImLoad::Image::processData(unsigned char*, int) (image.cpp:150)
==6229==    by 0x90FF89A: khtml::CachedImage::data(QBuffer&, bool) (loader.cpp:856)
==6229==    by 0x90FD200: khtml::Loader::slotData(KIO::Job*, QByteArray const&) (loader.cpp:1360)
==6229==    by 0x90FF090: khtml::Loader::qt_metacall(QMetaObject::Call, int, void**) (loader.moc:127)

valgrind: m_mallocfree.c:194 (get_bszB_as_is): Assertion 'bszB_lo == bszB_hi' failed.
valgrind: Heap block lo/hi size mismatch: lo = 136, hi = 4285529967.
Probably caused by overrunning/underrunning a heap block's bounds.

==6229==    at 0x38010D37: (within /usr/lib/valgrind/x86-linux/memcheck)
==6229==    by 0x38010F49: (within /usr/lib/valgrind/x86-linux/memcheck)
==6229==    by 0x38016AE6: (within /usr/lib/valgrind/x86-linux/memcheck)
==6229==    by 0x38016B2A: (within /usr/lib/valgrind/x86-linux/memcheck)
==6229==    by 0x3801720D: (within /usr/lib/valgrind/x86-linux/memcheck)
==6229==    by 0x38027975: (within /usr/lib/valgrind/x86-linux/memcheck)
==6229==    by 0x38001340: (within /usr/lib/valgrind/x86-linux/memcheck)
==6229==    by 0x380015ED: (within /usr/lib/valgrind/x86-linux/memcheck)
==6229==    by 0x38027E3C: (within /usr/lib/valgrind/x86-linux/memcheck)
==6229==    by 0x38029093: (within /usr/lib/valgrind/x86-linux/memcheck)
==6229==    by 0x38040938: (within /usr/lib/valgrind/x86-linux/memcheck)

sched status:
  running_tid=1

Thread 1: status = VgTs_Runnable
==6229==    at 0x4020FE6: free (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==6229==    by 0x59C9960: png_free_default (in /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x59C99A4: png_free (in /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x59B7017: (within /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x4B6BC16: inflateEnd (in /lib/libz.so.1.2.3)
==6229==    by 0x59C09E1: png_destroy_read_struct (in /usr/lib/libpng12.so.0.22.0)
==6229==    by 0x91DB95E: khtmlImLoad::PNGLoader::~PNGLoader() (pngloader.cpp:231)
==6229==    by 0x91D6364: khtmlImLoad::Image::processEOF() (image.cpp:208)
==6229==    by 0x90FF8B3: khtml::CachedImage::data(QBuffer&, bool) (loader.cpp:861)
==6229==    by 0x90FED88: khtml::Loader::slotFinished(KJob*) (loader.cpp:1299)
==6229==    by 0x90FF070: khtml::Loader::qt_metacall(QMetaObject::Call, int, void**) (loader.moc:126)
==6229==    by 0x4D0E1F3: QMetaObject::activate(QObject*, int, int, void**) (qobject.cpp:3081)
==6229==    by 0x4D0ED93: QMetaObject::activate(QObject*, QMetaObject const*, int, void**) (qobject.cpp:3140)
==6229==    by 0x4467E33: KJob::result(KJob*) (kjob.moc:185)
==6229==    by 0x4468371: KJob::emitResult() (kjob.cpp:290)
==6229==    by 0x4217567: KIO::SimpleJob::slotFinished() (job.cpp:491)
==6229==    by 0x4217919: KIO::TransferJob::slotFinished() (job.cpp:961)
==6229==    by 0x421E4B2: KIO::TransferJob::qt_metacall(QMetaObject::Call, int, void**) (jobclasses.moc:335)
==6229==    by 0x4D0E1F3: QMetaObject::activate(QObject*, int, int, void**) (qobject.cpp:3081)
==6229==    by 0x4D0ED93: QMetaObject::activate(QObject*, QMetaObject const*, int, void**) (qobject.cpp:3140)
==6229==    by 0x42BF745: KIO::SlaveInterface::finished() (slaveinterface.moc:160)
==6229==    by 0x42C1309: KIO::SlaveInterface::dispatch(int, QByteArray const&) (slaveinterface.cpp:176)
==6229==    by 0x42C1F65: KIO::SlaveInterface::dispatch() (slaveinterface.cpp:90)
==6229==    by 0x42B4636: KIO::Slave::gotInput() (slave.cpp:318)
==6229==    by 0x42B5B8C: KIO::Slave::qt_metacall(QMetaObject::Call, int, void**) (slave.moc:74)
==6229==    by 0x4D0E1F3: QMetaObject::activate(QObject*, int, int, void**) (qobject.cpp:3081)
==6229==    by 0x4D0ED93: QMetaObject::activate(QObject*, QMetaObject const*, int, void**) (qobject.cpp:3140)
==6229==    by 0x41EF952: KIO::Connection::readyRead() (connection.moc:83)
==6229==    by 0x41F07D5: KIO::ConnectionPrivate::dequeue() (connection.cpp:82)
==6229==    by 0x41F1584: KIO::Connection::qt_metacall(QMetaObject::Call, int, void**) (connection.moc:71)
==6229==    by 0x4D092F8: QMetaCallEvent::placeMetaCall(QObject*) (qobject.cpp:536)
==6229==    by 0x4D0C016: QObject::event(QEvent*) (qobject.cpp:1122)
==6229==    by 0x4FA8E89: QApplicationPrivate::notify_helper(QObject*, QEvent*) (qapplication.cpp:3556)
==6229==    by 0x4FAA779: QApplication::notify(QObject*, QEvent*) (qapplication.cpp:3115)
==6229==    by 0x4714082: KApplication::notify(QObject*, QEvent*) (kapplication.cpp:314)
==6229==    by 0x4CFAD7A: QCoreApplication::notifyInternal(QObject*, QEvent*) (qcoreapplication.cpp:530)
==6229==    by 0x4CFC219: QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) (qcoreapplication.h:200)
==6229==    by 0x4CFC56C: QCoreApplication::sendPostedEvents(QObject*, int) (qcoreapplication.cpp:1001)
==6229==    by 0x5032AED: QEventDispatcherX11::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qcoreapplication.h:205)
==6229==    by 0x4CFA190: QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qeventloop.cpp:140)
==6229==    by 0x4CFA299: QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (qeventloop.cpp:186)
==6229==    by 0x4CFC625: QCoreApplication::exec() (qcoreapplication.cpp:759)
==6229==    by 0x4FA8486: QApplication::exec() (qapplication.cpp:3053)
==6229==    by 0x40CE3BE: kdemain (konqmain.cpp:218)
==6229==    by 0x80487E1: main (konqueror_dummy.cpp:3)


Note: see also the FAQ.txt in the source distribution.
It contains workarounds to several common problems.

If that doesn't help, please report this bug to: www.valgrind.org

In the bug report, send all the above text, the valgrind
version, and what Linux distro you are using.  Thanks.

Comment 2 Maksim Orlovich 2008-01-25 19:32:06 UTC

Ugh. Somehow libPNG tells us that an image is 8-bit per channel, while it is 16-bits per channel !?

Comment 3 Maksim Orlovich 2008-01-25 20:20:41 UTC

Created attachment 23278 [details]
Fix

Ugh. My mess up. The code was losing track of itself adding an alpha channel to
gray scale PNG with tRNS chunk

Comment 4 Matt Rogers 2008-01-25 20:58:01 UTC

Thanks. Will test over the weekend and report back.

Comment 5 Tommi Tervo 2008-02-02 10:22:49 UTC

*** Bug 157115 has been marked as a duplicate of this bug. ***

Comment 6 Oliver Putz 2008-02-17 07:34:37 UTC

*** Bug 157957 has been marked as a duplicate of this bug. ***

Comment 7 Marcus Better 2008-02-26 10:14:34 UTC

Here's another page that crashes with a similar stack trace:
http://www.openimscore.org/docs/ser_ims/index.html

This is with Debian, konqueror 4:4.0.1-1.

Comment 8 Tommi Tervo 2008-03-18 14:44:11 UTC

*** Bug 159486 has been marked as a duplicate of this bug. ***

Comment 9 Tommi Tervo 2008-03-18 15:14:37 UTC

Patch fixes pngloader related crashes for me. Tested sites under VG:
http://www.openimscore.org/docs/ser_ims/index.html
http://tapioca.sf.net and
http://www.cybertiggyr.com/gene/dfx

Comment 10 Maksim Orlovich 2008-03-24 15:33:54 UTC

*** Bug 159792 has been marked as a duplicate of this bug. ***

Comment 11 Oliver Putz 2008-04-09 13:47:05 UTC

*** Bug 160609 has been marked as a duplicate of this bug. ***

Comment 12 Maksim Orlovich 2008-04-18 16:43:13 UTC

*** Bug 160967 has been marked as a duplicate of this bug. ***

Comment 13 Dirk Mueller 2008-04-26 01:58:55 UTC

SVN commit 801224 by mueller:

fix buffer overflow (CVE-2008-1670)
CCBUG: 156623


 M  +3 -0      pngloader.cpp  


WebSVN link: http://websvn.kde.org/?view=rev&revision=801224

Comment 14 Dirk Mueller 2008-04-26 01:59:38 UTC

SVN commit 801225 by mueller:

fix CVE-2008-1670
BUG: 156623


 M  +3 -0      pngloader.cpp  


WebSVN link: http://websvn.kde.org/?view=rev&revision=801225