Bug 314985

Summary: konqueror crashes when calculating dimensions of a large canvas within the scale loop
Product: [Applications] konqueror Reporter: Than Ngo <than>
Component: khtmlAssignee: Konqueror Developers <konq-bugs>
Status: RESOLVED UNMAINTAINED    
Severity: normal CC: adaptee
Priority: NOR Keywords: testcase
Version: 4.10.0   
Target Milestone: ---   
Platform: Fedora RPMs   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:
Attachments: loading this html causes crash in konqueror

Description Than Ngo 2013-02-12 09:54:34 UTC
When loading a web page that contains a large HTML5 canvas in an application linked against KDE libraries (such as konqueror), the library segfaults.

Reproducible: Always

Steps to Reproduce:
1. Download the crash.html attachment
2 [details]. In a terminal type: konqueror crash.html
Actual Results:  
segmentation fault

Expected Results:  
no crash
Comment 1 Than Ngo 2013-02-12 09:55:53 UTC
Created attachment 77191 [details]
loading this html causes crash in konqueror
Comment 2 Jekyll Wu 2013-02-12 11:28:46 UTC
I can reproduce it. 

#0  Tile (this=0xb0c2fff8) at /mnt/personal/build/portage/kde-base/kdelibs-9999/work/kdelibs-9999/khtml/imload/tile.h:55
#1  PixmapTile (this=0xb0c2fff8)
    at /mnt/personal/build/portage/kde-base/kdelibs-9999/work/kdelibs-9999/khtml/imload/pixmaptile.h:47
#2  Array2D (this=0x85dca30, _rows=174, _cols=1736112)
    at /mnt/personal/build/portage/kde-base/kdelibs-9999/work/kdelibs-9999/khtml/imload/array2d.h:43
#3  PixmapPlane (_parent=0x85dc9fc, _height=<optimized out>, _width=111111111, this=0x85dca18)
    at /mnt/personal/build/portage/kde-base/kdelibs-9999/work/kdelibs-9999/khtml/imload/pixmapplane.h:49
#4  khtmlImLoad::CanvasImage::setupOriginalPlane (this=0x85dc720, width=111111111, height=11111)
    at /mnt/personal/build/portage/kde-base/kdelibs-9999/work/kdelibs-9999/khtml/imload/canvasimage.cpp:59
#5  0xb2eca5a3 in khtmlImLoad::CanvasImage::CanvasImage (this=0x85dc720, width=111111111, height=11111)
    at /mnt/personal/build/portage/kde-base/kdelibs-9999/work/kdelibs-9999/khtml/imload/canvasimage.cpp:65
#6  0xb2ccde38 in DOM::CanvasContext2DImpl::resetContext (this=0x85dc5d8, width=111111111, height=11111)
    at /mnt/personal/build/portage/kde-base/kdelibs-9999/work/kdelibs-9999/khtml/html/html_canvasimpl.cpp:232
#7  0xb2ccdf63 in DOM::CanvasContext2DImpl::CanvasContext2DImpl (this=0x85dc5d8, element=0x85dc920, width=111111111, 
    height=11111) at /mnt/personal/build/portage/kde-base/kdelibs-9999/work/kdelibs-9999/khtml/html/html_canvasimpl.cpp:211
#8  0xb2cce018 in DOM::HTMLCanvasElementImpl::getContext2D (this=0x85dc920)
    at /mnt/personal/build/portage/kde-base/kdelibs-9999/work/kdelibs-9999/khtml/html/html_canvasimpl.cpp:168
#9  0xb2cce34f in DOM::HTMLCanvasElementImpl::getCanvasImage (this=0x85dc920)
    at /mnt/personal/build/portage/kde-base/kdelibs-9999/work/kdelibs-9999/khtml/html/html_canvasimpl.cpp:174
#10 0xb2d5742e in khtml::RenderCanvasImage::RenderCanvasImage (this=0x850a9e8, canvasEl=0x85dc920)
    at /mnt/personal/build/portage/kde-base/kdelibs-9999/work/kdelibs-9999/khtml/rendering/render_canvasimage.cpp:54
#11 0xb2cc8d37 in DOM::HTMLCanvasElementImpl::attach (this=0x85dc920)
    at /mnt/personal/build/portage/kde-base/kdelibs-9999/work/kdelibs-9999/khtml/html/html_canvasimpl.cpp:154
#12 0xb2c7a546 in khtml::KHTMLParser::insertNode (this=0x84c6ba8, n=0x85dc920, flat=<optimized out>)
    at /mnt/personal/build/portage/kde-base/kdelibs-9999/work/kdelibs-9999/khtml/html/htmlparser.cpp:428
#13 0xb2c7cd74 in khtml::KHTMLParser::parseToken (this=0x84c6ba8, t=0x84f804c)
    at /mnt/personal/build/portage/kde-base/kdelibs-9999/work/kdelibs-9999/khtml/html/htmlparser.cpp:301
#14 0xb2c7e30e in khtml::HTMLTokenizer::processToken (this=0x84f8038)
    at /mnt/personal/build/portage/kde-base/kdelibs-9999/work/kdelibs-9999/khtml/html/htmltokenizer.cpp:2037
#15 0xb2c850c0 in khtml::HTMLTokenizer::parseTag (this=0x84f8038, src=...)
    at /mnt/personal/build/portage/kde-base/kdelibs-9999/work/kdelibs-9999/khtml/html/htmltokenizer.cpp:1502
#16 0xb2c87a06 in khtml::HTMLTokenizer::write (this=0x84f8038, str=..., appendData=true)
    at /mnt/personal/build/portage/kde-base/kdelibs-9999/work/kdelibs-9999/khtml/html/htmltokenizer.cpp:1795
#17 0xb2ba5532 in KHTMLPart::write (this=0x83e5a60, 
    data=0x84e1550 "<html>\n  <body>\n    <canvas id=\"myCanvas\" width=\"111111111\" height=\"11111\"></canvas>\n  </body>\n</html>\n", len=<optimized out>)
    at /mnt/personal/build/portage/kde-base/kdelibs-9999/work/kdelibs-9999/khtml/khtml_part.cpp:2110
#18 0xb2ba130a in KHTMLPart::slotData (this=0x83e5a60, kio_job=0x849fea0, data=...)
    at /mnt/personal/build/portage/kde-base/kdelibs-9999/work/kdelibs-9999/khtml/khtml_part.cpp:1758
#19 0xb2bcd74c in KHTMLPart::qt_static_metacall (_o=0x83e5a60, _c=QMetaObject::InvokeMetaMethod, _id=19, _a=0xbfffd164)
    at /mnt/personal/build/portage/kde-base/kdelibs-9999/work/kdelibs-9999_build/khtml/khtml_part.moc:253
#20 0xb63dc0c1 in QMetaObject::activate (sender=0x849fea0, m=0xb7a222cc <KIO::TransferJob::staticMetaObject>, 
    local_signal_index=0, argv=0xbfffd164) at kernel/qobject.cpp:3539
#21 0xb784243d in KIO::TransferJob::data (this=0x849fea0, _t1=0x849fea0, _t2=...)
    at /mnt/personal/build/portage/kde-base/kdelibs-9999/work/kdelibs-9999_build/kio/jobclasses.moc:447
#22 0xb78424a8 in KIO::TransferJob::slotData (this=0x849fea0, _data=...)
    at /mnt/personal/build/portage/kde-base/kdelibs-9999/work/kdelibs-9999/kio/kio/job.cpp:981
#23 0xb7845167 in qt_static_metacall (_a=0xbfffd2d8, _id=8, _o=0x849fea0, _c=<optimized out>)
    at /mnt/personal/build/portage/kde-base/kdelibs-9999/work/kdelibs-9999_build/kio/jobclasses.moc:389
#24 KIO::TransferJob::qt_static_metacall (_o=0x849fea0, _c=QMetaObject::InvokeMetaMethod, _id=8, _a=0xbfffd2d8)
    at /mnt/personal/build/portage/kde-base/kdelibs-9999/work/kdelibs-9999_build/kio/jobclasses.moc:375
#25 0xb63dc0c1 in QMetaObject::activate (sender=0x84e09e0, m=0xb7a24480 <KIO::SlaveInterface::staticMetaObject>, 
    local_signal_index=0, argv=0xbfffd2d8) at kernel/qobject.cpp:3539
#26 0xb78fdf75 in KIO::SlaveInterface::data (this=0x84e09e0, _t1=...)
    at /mnt/personal/build/portage/kde-base/kdelibs-9999/work/kdelibs-9999_build/kio/slaveinterface.moc:160
#27 0xb7901a7f in KIO::SlaveInterface::dispatch (this=0x84e09e0, _cmd=100, rawdata=...)
    at /mnt/personal/build/portage/kde-base/kdelibs-9999/work/kdelibs-9999/kio/kio/slaveinterface.cpp:160
#28 0xb78fd6aa in KIO::SlaveInterface::dispatch (this=0x84e09e0)
    at /mnt/personal/build/portage/kde-base/kdelibs-9999/work/kdelibs-9999/kio/kio/slaveinterface.cpp:88
#29 0xb78eec78 in KIO::Slave::gotInput (this=0x84e09e0)
    at /mnt/personal/build/portage/kde-base/kdelibs-9999/work/kdelibs-9999/kio/kio/slave.cpp:344
#30 0xb78ef2f8 in KIO::Slave::qt_static_metacall (_o=0x84e09e0, _c=QMetaObject::InvokeMetaMethod, _id=2, _a=0xbfffd560)
    at /mnt/personal/build/portage/kde-base/kdelibs-9999/work/kdelibs-9999_build/kio/slave.moc:57
#31 0xb63dc0c1 in QMetaObject::activate (sender=0x8473978, m=0xb7a21110 <KIO::Connection::staticMetaObject>, 
    local_signal_index=0, argv=0x0) at kernel/qobject.cpp:3539
#32 0xb7807d35 in KIO::Connection::readyRead (this=0x8473978)
    at /mnt/personal/build/portage/kde-base/kdelibs-9999/work/kdelibs-9999_build/kio/connection.moc:106
#33 0xb78085ba in dequeue (this=<optimized out>)
    at /mnt/personal/build/portage/kde-base/kdelibs-9999/work/kdelibs-9999/kio/kio/connection.cpp:82
#34 KIO::ConnectionPrivate::dequeue (this=0x8299790)
    at /mnt/personal/build/portage/kde-base/kdelibs-9999/work/kdelibs-9999/kio/kio/connection.cpp:71
#35 0xb63d7411 in QMetaCallEvent::placeMetaCall (this=0x84ef708, object=0x8473978) at kernel/qobject.cpp:524
#36 0xb63e076b in QObject::event (this=0x8473978, e=0x84ef708) at kernel/qobject.cpp:1194
#37 0xb695de24 in notify_helper (e=0x84ef708, receiver=0x8473978, this=0x806ca00) at kernel/qapplication.cpp:4562
#38 QApplicationPrivate::notify_helper (this=0x806ca00, receiver=0x8473978, e=0x84ef708) at kernel/qapplication.cpp:4534
#39 0xb6963c7a in QApplication::notify (this=0x84ef708, receiver=0x8473978, e=0x84ef708) at kernel/qapplication.cpp:4291
#40 0xb74ca6a1 in KApplication::notify (this=0xbfffde84, receiver=0x8473978, event=0x84ef708)
    at /mnt/personal/build/portage/kde-base/kdelibs-9999/work/kdelibs-9999/kdeui/kernel/kapplication.cpp:311
#41 0xb63c57fe in QCoreApplication::notifyInternal (this=0xbfffde84, receiver=0x8473978, event=0x84ef708)
    at kernel/qcoreapplication.cpp:946
#42 0xb63c93d0 in sendEvent (event=<optimized out>, receiver=<optimized out>) at kernel/qcoreapplication.h:231
#43 QCoreApplicationPrivate::sendPostedEvents (receiver=0x0, event_type=0, data=0x804b370) at kernel/qcoreapplication.cpp:1570
#44 0xb63c970c in QCoreApplication::sendPostedEvents (receiver=0x0, event_type=0) at kernel/qcoreapplication.cpp:1463
#45 0xb63f7bc4 in sendPostedEvents () at kernel/qcoreapplication.h:236
#46 postEventSourceDispatch (s=0x806d848) at kernel/qeventdispatcher_glib.cpp:279
#47 0xb597b3a6 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#48 0xb597b748 in ?? () from /usr/lib/libglib-2.0.so.0
#49 0xb597b821 in g_main_context_iteration () from /usr/lib/libglib-2.0.so.0
#50 0xb63f7fb7 in QEventDispatcherGlib::processEvents (this=0x804bef0, flags=...) at kernel/qeventdispatcher_glib.cpp:424
#51 0xb6a1081a in QGuiEventDispatcherGlib::processEvents (this=0x804bef0, flags=...)
    at kernel/qguieventdispatcher_glib.cpp:204
#52 0xb63c40ad in QEventLoop::processEvents (this=0xbfffdd44, flags=...) at kernel/qeventloop.cpp:149
#53 0xb63c4349 in QEventLoop::exec (this=0xbfffdd44, flags=...) at kernel/qeventloop.cpp:204
#54 0xb63c97ba in QCoreApplication::exec () at kernel/qcoreapplication.cpp:1218
#55 0xb695b4e4 in QApplication::exec () at kernel/qapplication.cpp:3823
#56 0xb7f81f27 in kdemain () from /usr/lib/libkdeinit4_konqueror.so
#57 0x0804861b in ?? ()
#58 0xb7d38ba3 in __libc_start_main (main=0x8048600, argc=2, ubp_av=0xbfffe1b4, init=0x8048700 <__libc_csu_init>, 
    fini=0x8048770 <__libc_csu_fini>, rtld_fini=0xb7fed130 <_dl_fini>, stack_end=0xbfffe1ac) at libc-start.c:225
#59 0x08048641 in _start ()
Comment 3 Christoph Cullmann 2024-05-06 18:39:49 UTC
Dear user,

KHTML (and KJS) was a long time more or less unmaintained and got removed in KF6.

Please migrate to use a QWebEngine based HTML component.

We will do no further fixes or improvements to the KF5 branches of these components beside important security fixes.

For security issues, please see:

https://kde.org/info/security/

Sorry that we did not fix this issue during the life-time of KHTML.

Greetings
Christoph Cullmann