Bug 266765

Summary: SIGSEV loading http://voxel.onaluf.org/
Product: [Applications] konqueror Reporter: Clemens Eisserer <linuxhippy>
Component: generalAssignee: Konqueror Developers <konq-bugs>
Status: RESOLVED FIXED    
Severity: crash CC: maksim
Priority: NOR    
Version: unspecified   
Target Milestone: ---   
Platform: Fedora RPMs   
OS: Linux   
Latest Commit: Version Fixed In:

Description Clemens Eisserer 2011-02-20 22:45:12 UTC 
Version:           unspecified (using KDE 4.5.5) 
OS:                Linux

When loading a javascript voxel rendering engine, konqueror crashes with SIGSEV:

(gdb) bt
#0  0x0064c5e9 in _int_malloc (av=0x7633a0, bytes=48) at malloc.c:4249
#1  0x0064d9de in __libc_malloc (bytes=48) at malloc.c:3660
#2  0x00ccc7da in operator new (sz=48) at ../../../../libstdc++-v3/libsupc++/new_op.cc:52
#3  0x026def5d in KJS::UString::Rep::create (d=0x9213d78, l=5)
    at /usr/src/debug/kdelibs-4.5.5/kjs/ustring.cpp:169
#4  0x026df271 in KJS::UString::Rep::createCopying (d=0xbdcfe156, length=5)
    at /usr/src/debug/kdelibs-4.5.5/kjs/ustring.cpp:164
#5  0x026dfd9e in KJS::UString::UString (this=0xbdcfe1a4, c=0xbdcfe156, length=5)
    at /usr/src/debug/kdelibs-4.5.5/kjs/ustring.cpp:459
#6  0x026dfe5f in KJS::UString::from (u=<value optimized out>)
    at /usr/src/debug/kdelibs-4.5.5/kjs/ustring.cpp:587
#7  0x02716acf in from (this=0xb1a544c0, exec=0xbfefb0bc, propertyName=64000, value=0xe9, attr=0)
    at /usr/src/debug/kdelibs-4.5.5/kjs/identifier.h:78
#8  KJS::JSObject::put (this=0xb1a544c0, exec=0xbfefb0bc, propertyName=64000, value=0xe9, attr=0)
    at /usr/src/debug/kdelibs-4.5.5/kjs/object.cpp:251
#9  0x0145b097 in KJS::CanvasImageDataArray::put (this=0xb1a544c0, exec=0xbfefb0bc, index=64000, value=
    0xe9, attr=0) at /usr/src/debug/kdelibs-4.5.5/khtml/ecma/kjs_context2d.cpp:835
#10 0x0145b14c in KJS::CanvasImageDataArray::put (this=0xb1a544c0, exec=0xbfefb0bc, propertyName=..., 
    value=0xe9, attr=0) at /usr/src/debug/kdelibs-4.5.5/khtml/ecma/kjs_context2d.cpp:803
#11 0x02716b28 in KJS::JSObject::put (this=0xb1a544c0, exec=0xbfefb0bc, propertyName=64000, value=
    0xe9, attr=0) at /usr/src/debug/kdelibs-4.5.5/kjs/object.cpp:251
#12 0x0145b097 in KJS::CanvasImageDataArray::put (this=0xb1a544c0, exec=0xbfefb0bc, index=64000, value=
    0xe9, attr=0) at /usr/src/debug/kdelibs-4.5.5/khtml/ecma/kjs_context2d.cpp:835
#13 0x0145b14c in KJS::CanvasImageDataArray::put (this=0xb1a544c0, exec=0xbfefb0bc, propertyName=..., 
    value=0xe9, attr=0) at /usr/src/debug/kdelibs-4.5.5/khtml/ecma/kjs_context2d.cpp:803
#14 0x02716b28 in KJS::JSObject::put (this=0xb1a544c0, exec=0xbfefb0bc, propertyName=64000, value=
    0xe9, attr=0) at /usr/src/debug/kdelibs-4.5.5/kjs/object.cpp:251
#15 0x0145b097 in KJS::CanvasImageDataArray::put (this=0xb1a544c0, exec=0xbfefb0bc, index=64000, value=
---Type <return> to continue, or q <return> to quit---
    0xe9, attr=0) at /usr/src/debug/kdelibs-4.5.5/khtml/ecma/kjs_context2d.cpp:835
#16 0x0145b14c in KJS::CanvasImageDataArray::put (this=0xb1a544c0, exec=0xbfefb0bc, propertyName=..., 
    value=0xe9, attr=0) at /usr/src/debug/kdelibs-4.5.5/khtml/ecma/kjs_context2d.cpp:803
#17 0x02716b28 in KJS::JSObject::put (this=0xb1a544c0, exec=0xbfefb0bc, propertyName=64000, value=
    0xe9, attr=0) at /usr/src/debug/kdelibs-4.5.5/kjs/object.cpp:251
#18 0x0145b097 in KJS::CanvasImageDataArray::put (this=0xb1a544c0, exec=0xbfefb0bc, index=64000, value=
    0xe9, attr=0) at /usr/src/debug/kdelibs-4.5.5/khtml/ecma/kjs_context2d.cpp:835
#19 0x0145b14c in KJS::CanvasImageDataArray::put (this=0xb1a544c0, exec=0xbfefb0bc, propertyName=..., 
    value=0xe9, attr=0) at /usr/src/debug/kdelibs-4.5.5/khtml/ecma/kjs_context2d.cpp:803
#20 0x02716b28 in KJS::JSObject::put (this=0xb1a544c0, exec=0xbfefb0bc, propertyName=64000, value=
    0xe9, attr=0) at /usr/src/debug/kdelibs-4.5.5/kjs/object.cpp:251
#21 0x0145b097 in KJS::CanvasImageDataArray::put (this=0xb1a544c0, exec=0xbfefb0bc, index=64000, value=
    0xe9, attr=0) at /usr/src/debug/kdelibs-4.5.5/khtml/ecma/kjs_context2d.cpp:835
#22 0x0145b14c in KJS::CanvasImageDataArray::put (this=0xb1a544c0, exec=0xbfefb0bc, propertyName=..., 
    value=0xe9, attr=0) at /usr/src/debug/kdelibs-4.5.5/khtml/ecma/kjs_context2d.cpp:803
#23 0x02716b28 in KJS::JSObject::put (this=0xb1a544c0, exec=0xbfefb0bc, propertyName=64000, value=
    0xe9, attr=0) at /usr/src/debug/kdelibs-4.5.5/kjs/object.cpp:251
#24 0x0145b097 in KJS::CanvasImageDataArray::put (this=0xb1a544c0, exec=0xbfefb0bc, index=64000, value=
    0xe9, attr=0) at /usr/src/debug/kdelibs-4.5.5/khtml/ecma/kjs_context2d.cpp:835
#25 0x0145b14c in KJS::CanvasImageDataArray::put (this=0xb1a544c0, exec=0xbfefb0bc, propertyName=..., 
    value=0xe9, attr=0) at /usr/src/debug/kdelibs-4.5.5/khtml/ecma/kjs_context2d.cpp:803
#26 0x02716b28 in KJS::JSObject::put (this=0xb1a544c0, exec=0xbfefb0bc, propertyName=64000, value=
    0xe9, attr=0) at /usr/src/debug/kdelibs-4.5.5/kjs/object.cpp:251
#27 0x0145b097 in KJS::CanvasImageDataArray::put (this=0xb1a544c0, exec=0xbfefb0bc, index=64000, value=
    0xe9, attr=0) at /usr/src/debug/kdelibs-4.5.5/khtml/ecma/kjs_context2d.cpp:835
#28 0x0145b14c in KJS::CanvasImageDataArray::put (this=0xb1a544c0, exec=0xbfefb0bc, propertyName=..., 
    value=0xe9, attr=0) at /usr/src/debug/kdelibs-4.5.5/khtml/ecma/kjs_context2d.cpp:803


Reproducible: Always

Steps to Reproduce:
load http://voxel.onaluf.org/

Actual Results:  
crash

Expected Results:  
no crash
Comment 1 Maksim Orlovich 2011-02-21 15:50:35 UTC 
Working on it. Thanks for the report.
Comment 2 Maksim Orlovich 2011-03-18 02:33:08 UTC 
Git commit 6e6af077c95cc1006ff799b94cb819f7d894c6db by Maks Orlovich.
Committed on 21/02/2011 at 18:43.
Pushed by orlovich into branch 'master'.

Don't stackoverflow on put of out-of-bounds indexes in canvas pixel arrays

Really, the public index put and the virtual one ought to be the different
methods, with the virtual one private...

BUG: 266765

M  +3    -1    khtml/ecma/kjs_context2d.cpp     

http://commits.kde.org/kdelibs/6e6af077c95cc1006ff799b94cb819f7d894c6db