Bug 356053

Summary: Crash if I close the korganizer window while adding a new attachment
Product: [Applications] korganizer Reporter: Santhiar <santhiar.anirudh>
Component: incidence editorsAssignee: kdepim bugs <kdepim-bugs>
Status: RESOLVED FIXED    
Severity: crash CC: kdenis
Priority: NOR    
Version: 5.6.0   
Target Milestone: ---   
Platform: Ubuntu   
OS: Linux   
Latest Commit: https://commits.kde.org/incidenceeditor/c1f5f69291226fb08d1d744059243f71b91fbacb Version Fixed In: 5.7.2
Sentry Crash Report:

Description Santhiar 2015-11-29 05:45:09 UTC 
Closing korganizer when a new attachment window (opened via Actions->New event->Attachments->Add) is open crashes korganizer.

Reproducible: Always

Steps to Reproduce:
1. Run korganizer
2. Open the add attachments dialog via Actions->New event->Attachments->Add
3. Say file->quit

Actual Results:  
DrKonqui reports a crash trace

Expected Results:  
Application closes smoothly

1. To repro in a later version of kontact (4.14.10), quit the application via qdbus as qdbus org.kde.kontact /kontact/MainWindow_1/actions/file_quit trigger

Here is a crash trace from 4.13.3
Application: KOrganizer (korganizer), signal: Segmentation fault
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[Current thread is 1 (Thread 0x7f723bc10800 (LWP 11024))]

Thread 3 (Thread 0x7f721681e700 (LWP 11026)):
#0  0x00007f72382a612d in poll () at ../sysdeps/unix/syscall-template.S:81
#1  0x00007f72311cefe4 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#2  0x00007f72311cf30a in g_main_loop_run () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#3  0x00007f721d408336 in ?? () from /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0
#4  0x00007f72311f3f05 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#5  0x00007f723189f182 in start_thread (arg=0x7f721681e700) at pthread_create.c:312
#6  0x00007f72382b347d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111

Thread 2 (Thread 0x7f721601d700 (LWP 11028)):
#0  0x00007f72382a612d in poll () at ../sysdeps/unix/syscall-template.S:81
#1  0x00007f72311cefe4 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#2  0x00007f72311cf0ec in g_main_context_iteration () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#3  0x00007f72311cf129 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#4  0x00007f72311f3f05 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#5  0x00007f723189f182 in start_thread (arg=0x7f721601d700) at pthread_create.c:312
#6  0x00007f72382b347d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111

Thread 1 (Thread 0x7f723bc10800 (LWP 11024)):
[KCrash Handler]
#5  0x0000000000000051 in ?? ()
#6  0x00007f7232a874e8 in IncidenceEditorNG::IncidenceAttachment::addAttachment() () from /usr/lib/libincidenceeditorsng.so.4
#7  0x00007f72398e587a in QMetaObject::activate (sender=sender@entry=0x2719680, m=m@entry=0x7f723973e2a0 <QAbstractButton::staticMetaObject>, local_signal_index=local_signal_index@entry=2, argv=argv@entry=0x7fffcf5e1690) at kernel/qobject.cpp:3539
#8  0x00007f72392b9172 in QAbstractButton::clicked (this=this@entry=0x2719680, _t1=false) at .moc/release-shared/moc_qabstractbutton.cpp:219
#9  0x00007f723901ca63 in QAbstractButtonPrivate::emitClicked (this=this@entry=0x27196b0) at widgets/qabstractbutton.cpp:548
#10 0x00007f723901dbd3 in QAbstractButtonPrivate::click (this=this@entry=0x27196b0) at widgets/qabstractbutton.cpp:541
#11 0x00007f723901dcbc in QAbstractButton::mouseReleaseEvent (this=0x2719680, e=0x7fffcf5e1b80) at widgets/qabstractbutton.cpp:1123
#12 0x00007f7238cba51a in QWidget::event (this=0x2719680, event=0x7fffcf5e1b80) at kernel/qwidget.cpp:8376
#13 0x00007f7238c6ae2c in QApplicationPrivate::notify_helper (this=this@entry=0x1ba3dc0, receiver=receiver@entry=0x2719680, e=e@entry=0x7fffcf5e1b80) at kernel/qapplication.cpp:4567
#14 0x00007f7238c715dd in QApplication::notify (this=<optimized out>, receiver=0x2719680, e=0x7fffcf5e1b80) at kernel/qapplication.cpp:4110
#15 0x00007f723b647d1a in KApplication::notify(QObject*, QEvent*) () from /usr/lib/libkdeui.so.5
#16 0x00007f72398d14dd in QCoreApplication::notifyInternal (this=0x7fffcf5e24d0, receiver=receiver@entry=0x2719680, event=event@entry=0x7fffcf5e1b80) at kernel/qcoreapplication.cpp:953
#17 0x00007f7238c70d93 in sendEvent (event=<optimized out>, receiver=<optimized out>) at ../../include/QtCore/../../src/corelib/kernel/qcoreapplication.h:231
#18 QApplicationPrivate::sendMouseEvent (receiver=receiver@entry=0x2719680, event=event@entry=0x7fffcf5e1b80, alienWidget=alienWidget@entry=0x2719680, nativeWidget=nativeWidget@entry=0x1f0fcd0, buttonDown=buttonDown@entry=0x7f7239750318 <qt_button_down>, lastMouseReceiver=..., spontaneous=spontaneous@entry=true) at kernel/qapplication.cpp:3178
#19 0x00007f7238ce59eb in QETWidget::translateMouseEvent (this=this@entry=0x1f0fcd0, event=event@entry=0x7fffcf5e1f00) at kernel/qapplication_x11.cpp:4634
#20 0x00007f7238ce5289 in QApplication::x11ProcessEvent (this=0x7fffcf5e24d0, event=event@entry=0x7fffcf5e1f00) at kernel/qapplication_x11.cpp:3627
#21 0x00007f7238d0cb32 in x11EventSourceDispatch (s=0x1ba3a70, callback=0x0, user_data=0x0) at kernel/qguieventdispatcher_glib.cpp:146
#22 0x00007f72311cee04 in g_main_context_dispatch () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#23 0x00007f72311cf048 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#24 0x00007f72311cf0ec in g_main_context_iteration () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#25 0x00007f72398fe7a1 in QEventDispatcherGlib::processEvents (this=0x1b5cae0, flags=...) at kernel/qeventdispatcher_glib.cpp:434
#26 0x00007f7238d0cbe6 in QGuiEventDispatcherGlib::processEvents (this=<optimized out>, flags=...) at kernel/qguieventdispatcher_glib.cpp:204
#27 0x00007f72398d00af in QEventLoop::processEvents (this=this@entry=0x7fffcf5e22d0, flags=...) at kernel/qeventloop.cpp:149
#28 0x00007f72398d03a5 in QEventLoop::exec (this=this@entry=0x7fffcf5e22d0, flags=...) at kernel/qeventloop.cpp:204
#29 0x00007f72398d5b79 in QCoreApplication::exec () at kernel/qcoreapplication.cpp:1225
#30 0x0000000000407a9e in ?? ()
#31 0x00007f72381daec5 in __libc_start_main (main=0x4074f0, argc=1, argv=0x7fffcf5e25f8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffcf5e25e8) at libc-start.c:287
#32 0x0000000000407d64 in _start ()

The bug is a heap use-after-free. Here is a stack trace from address sanitizer (with some line number information missing, from korganizer accessed via kontact)
==3171==ERROR: AddressSanitizer: heap-use-after-free on address 0x60700016cbf0 at pc 0x7f84192a4114 bp 0x7fffd32f8c30 sp 0x7fffd32f8c28
READ of size 8 at 0x60700016cbf0 thread T0
    #0 0x7f84192a4113 in IncidenceEditorNG::IncidenceAttachment::addAttachment() KDE/kde/kdepim/incidenceeditor-ng/incidenceattachment.cpp:154
    #1 0x7f84193d7b69 in IncidenceEditorNG::IncidenceAttachment::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) KDE/build-asan/kde/kdepim/incidenceeditor-ng/moc_incidenceattachment.cpp:78
    #2 0x7f847ff5a606 in QMetaObject::activate(QObject*, QMetaObject const*, int, void**) (qt4/lib/libQtCore.so.4+0x255606)
    #3 0x7f8480fd99ac in QAbstractButton::clicked(bool) (qt4/lib/libQtGui.so.4+0xc9f9ac)
    #4 0x7f8480b7a486 in QAbstractButtonPrivate::emitClicked() (qt4/lib/libQtGui.so.4+0x840486)
    #5 0x7f8480b7a2aa in QAbstractButtonPrivate::click() (qt4/lib/libQtGui.so.4+0x8402aa)
    #6 0x7f8480b7b75b in QAbstractButton::mouseReleaseEvent(QMouseEvent*) (qt4/lib/libQtGui.so.4+0x84175b)
    #7 0x7f84805f897d in QWidget::event(QEvent*) (qt4/lib/libQtGui.so.4+0x2be97d)
    #8 0x7f8480b7b580 in QAbstractButton::event(QEvent*) (qt4/lib/libQtGui.so.4+0x841580)
    #9 0x7f8480c71db5 in QPushButton::event(QEvent*) (qt4/lib/libQtGui.so.4+0x937db5)
    #10 0x7f848056f48e in QApplicationPrivate::notify_helper(QObject*, QEvent*) (qt4/lib/libQtGui.so.4+0x23548e)
    #11 0x7f8480572892 in QApplication::notify(QObject*, QEvent*) (qt4/lib/libQtGui.so.4+0x238892)
    #12 0x7f8482d5a340 in KApplication::notify(QObject*, QEvent*) KDE/kde/kdelibs/kdeui/kernel/kapplication.cpp:311
    #13 0x7f847ff32dc5 in QCoreApplication::notifyInternal(QObject*, QEvent*) (qt4/lib/libQtCore.so.4+0x22ddc5)
    #14 0x7f848057a02e in QCoreApplication::sendSpontaneousEvent(QObject*, QEvent*) (qt4/lib/libQtGui.so.4+0x24002e)
    #15 0x7f8480570530 in QApplicationPrivate::sendMouseEvent(QWidget*, QMouseEvent*, QWidget*, QWidget*, QWidget**, QPointer<QWidget>&, bool) (qt4/lib/libQtGui.so.4+0x236530)
    #16 0x7f84806415e4 in QETWidget::translateMouseEvent(_XEvent const*) (qt4/lib/libQtGui.so.4+0x3075e4)
    #17 0x7f848063cff5 in QApplication::x11ProcessEvent(_XEvent*) (qt4/lib/libQtGui.so.4+0x302ff5)
    #18 0x7f8480687455 in QEventDispatcherX11::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qt4/lib/libQtGui.so.4+0x34d455)
    #19 0x7f847ff2df6b in QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qt4/lib/libQtCore.so.4+0x228f6b)
    #20 0x7f847ff2e331 in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (qt4/lib/libQtCore.so.4+0x229331)
    #21 0x7f847ff335ed in QCoreApplication::exec() (qt4/lib/libQtCore.so.4+0x22e5ed)
    #22 0x7f8480571525 in QApplication::exec() (qt4/lib/libQtGui.so.4+0x237525)
    #23 0x44c792 in main (KDE/install-asan/bin/kontact+0x44c792)
    #24 0x7f847eb2976c (/lib/x86_64-linux-gnu/libc.so.6+0x2176c)
    #25 0x44819c in _start (KDE/install-asan/bin/kontact+0x44819c)
0x60700016cbf0 is located 0 bytes inside of 72-byte region [0x60700016cbf0,0x60700016cc38)
freed by thread T0 here:
    #0 0x4337ba in operator delete(void*) (KDE/install-asan/bin/kontact+0x4337ba)
    #1 0x7f8419240896 in IncidenceEditorNG::AttachmentIconItem::~AttachmentIconItem() KDE/kde/kdepim/incidenceeditor-ng/attachmenticonview.cpp:66
    #2 0x7f8480e45b98 in QListModel::clear() (qt4/lib/libQtGui.so.4+0xb0bb98)
    #3 0x7f8480e459f5 in QListModel::~QListModel() (qt4/lib/libQtGui.so.4+0xb0b9f5)
    #4 0x7f8480e45bf7 in QListModel::~QListModel() (qt4/lib/libQtGui.so.4+0xb0bbf7)
    #5 0x7f847ff52dd3 in QObjectPrivate::deleteChildren() (qt4/lib/libQtCore.so.4+0x24ddd3)
    #6 0x7f84805e3112 in QWidget::~QWidget() (qt4/lib/libQtGui.so.4+0x2a9112)
    #7 0x7f8480beeae4 in QFrame::~QFrame() (qt4/lib/libQtGui.so.4+0x8b4ae4)
    #8 0x7f8480cc5127 in QAbstractScrollArea::~QAbstractScrollArea() (qt4/lib/libQtGui.so.4+0x98b127)
    #9 0x7f8480da4ead in QAbstractItemView::~QAbstractItemView() (qt4/lib/libQtGui.so.4+0xa6aead)
    #10 0x7f8480dd7484 in QListView::~QListView() (qt4/lib/libQtGui.so.4+0xa9d484)
    #11 0x7f8480e4a564 in QListWidget::~QListWidget() (qt4/lib/libQtGui.so.4+0xb10564)
    #12 0x7f841924891c in IncidenceEditorNG::AttachmentIconView::~AttachmentIconView() qt4/include/QtCore/qhash.h:283
    #13 0x7f847ff52dd3 in QObjectPrivate::deleteChildren() (qt4/lib/libQtCore.so.4+0x24ddd3)
    #14 0x7f84805e3112 in QWidget::~QWidget() (qt4/lib/libQtGui.so.4+0x2a9112)
    #15 0x7f84805e3a77 in QWidget::~QWidget() (qt4/lib/libQtGui.so.4+0x2a9a77)
    #16 0x7f847ff52dd3 in QObjectPrivate::deleteChildren() (qt4/lib/libQtCore.so.4+0x24ddd3)
    #17 0x7f84805e3112 in QWidget::~QWidget() (qt4/lib/libQtGui.so.4+0x2a9112)
    #18 0x7f84805e3a77 in QWidget::~QWidget() (qt4/lib/libQtGui.so.4+0x2a9a77)
    #19 0x7f847ff52dd3 in QObjectPrivate::deleteChildren() (qt4/lib/libQtCore.so.4+0x24ddd3)
    #20 0x7f84805e3112 in QWidget::~QWidget() (qt4/lib/libQtGui.so.4+0x2a9112)
    #21 0x7f8480beeae4 in QFrame::~QFrame() (qt4/lib/libQtGui.so.4+0x8b4ae4)
    #22 0x7f8480c89934 in QStackedWidget::~QStackedWidget() (qt4/lib/libQtGui.so.4+0x94f934)
    #23 0x7f8480c89987 in QStackedWidget::~QStackedWidget() (qt4/lib/libQtGui.so.4+0x94f987)
    #24 0x7f847ff52dd3 in QObjectPrivate::deleteChildren() (qt4/lib/libQtCore.so.4+0x24ddd3)
    #25 0x7f84805e3112 in QWidget::~QWidget() (qt4/lib/libQtGui.so.4+0x2a9112)
    #26 0x7f8480c9b184 in QTabWidget::~QTabWidget() (qt4/lib/libQtGui.so.4+0x961184)
    #27 0x7f8483107103 in KTabWidget::~KTabWidget() KDE/kde/kdelibs/kdeui/widgets/ktabwidget.cpp:256
    #28 0x7f847ff52dd3 in QObjectPrivate::deleteChildren() (qt4/lib/libQtCore.so.4+0x24ddd3)
    #29 0x7f84805e3112 in QWidget::~QWidget() (qt4/lib/libQtGui.so.4+0x2a9112)
    #30 0x7f84805e3a77 in QWidget::~QWidget() (qt4/lib/libQtGui.so.4+0x2a9a77)
    #31 0x7f847ff52dd3 in QObjectPrivate::deleteChildren() (qt4/lib/libQtCore.so.4+0x24ddd3)
    #32 0x7f84805e3112 in QWidget::~QWidget() (qt4/lib/libQtGui.so.4+0x2a9112)
    #33 0x7f8480d234be in QDialog::~QDialog() (qt4/lib/libQtGui.so.4+0x9e94be)
    #34 0x7f8482a9890f in KDialog::~KDialog() KDE/kde/kdelibs/kdeui/dialogs/kdialog.cpp:204
    #35 0x7f84193a5797 in IncidenceEditorNG::IncidenceDialog::~IncidenceDialog() KDE/kde/kdepim/incidenceeditor-ng/incidencedialog.cpp:698
    #36 0x7f847ff52dd3 in QObjectPrivate::deleteChildren() (qt4/lib/libQtCore.so.4+0x24ddd3)
    #37 0x7f84805e3112 in QWidget::~QWidget() (qt4/lib/libQtGui.so.4+0x2a9112)
    #38 0x7f841b00aea5 in ~QList KDE/kde/kdepim/korganizer/interfaces/korganizer/calendarviewbase.h:39
    #39 0x7f841b00aea5 in CalendarView::~CalendarView() KDE/kde/kdepim/korganizer/calendarview.cpp:317
    #40 0x7f841b00a70e in CalendarView::~CalendarView() KDE/kde/kdepim/korganizer/calendarview.cpp:308
    #41 0x7f841afb098f in ActionManager::~ActionManager() KDE/kde/kdepim/korganizer/actionmanager.cpp:130
    #42 0x7f841afb06fe in ActionManager::~ActionManager() KDE/kde/kdepim/korganizer/actionmanager.cpp:118
    #43 0x7f8404fbd0af in KOrganizerPart::~KOrganizerPart() KDE/kde/kdepim/korganizer/korganizer_part.cpp:108
    #44 0x7f8404fbcd25 in ~KOrganizerPart KDE/kde/kdepim/korganizer/korganizer_part.cpp:105
    #45 0x7f8404fbcd25 in KOrganizerPart::~KOrganizerPart() KDE/kde/kdepim/korganizer/korganizer_part.cpp:105
    #46 0x7f84876b4a38 in KontactInterface::Plugin::~Plugin() KDE/kde/kdepimlibs/kontactinterface/plugin.cpp:92
    #47 0x7f841b88cd99 in KOrganizerPlugin::~KOrganizerPlugin() KDE/kde/kdepim/kontact/plugins/korganizer/korganizerplugin.cpp:93
    #48 0x7f8484a7588f in Kontact::MainWindow::~MainWindow() KDE/kde/kdepim/kontact/src/mainwindow.cpp:296:16
    #49 0x7f8484a74cdb in ~MainWindow KDE/kde/kdepim/kontact/src/mainwindow.cpp:271
    #50 0x7f8484a74cdb in Kontact::MainWindow::~MainWindow() KDE/kde/kdepim/kontact/src/mainwindow.cpp:271
    #51 0x7f847ff53e3d in qDeleteInEventHandler(QObject*) (qt4/lib/libQtCore.so.4+0x24ee3d)
    #52 0x7f847ff539a7 in QObject::event(QEvent*) (qt4/lib/libQtCore.so.4+0x24e9a7)
    #53 0x7f84805fa345 in QWidget::event(QEvent*) (qt4/lib/libQtGui.so.4+0x2c0345)
    #54 0x7f8480c1bf72 in QMainWindow::event(QEvent*) (qt4/lib/libQtGui.so.4+0x8e1f72)
    #55 0x7f848307a133 in KMainWindow::event(QEvent*) KDE/kde/kdelibs/kdeui/widgets/kmainwindow.cpp:1126
    #56 0x7f84831800b2 in KXmlGuiWindow::event(QEvent*) KDE/kde/kdelibs/kdeui/xmlgui/kxmlguiwindow.cpp:126
    #57 0x7f848056f48e in QApplicationPrivate::notify_helper(QObject*, QEvent*) (qt4/lib/libQtGui.so.4+0x23548e)
    #58 0x7f848057532b in QApplication::notify(QObject*, QEvent*) (qt4/lib/libQtGui.so.4+0x23b32b)
    #59 0x7f8482d5a340 in KApplication::notify(QObject*, QEvent*) KDE/kde/kdelibs/kdeui/kernel/kapplication.cpp:311
    #60 0x7f847ff32dc5 in QCoreApplication::notifyInternal(QObject*, QEvent*) (qt4/lib/libQtCore.so.4+0x22ddc5)
    #61 0x7f847ff37549 in QCoreApplication::sendEvent(QObject*, QEvent*) (qt4/lib/libQtCore.so.4+0x232549)
    #62 0x7f847ff343f3 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) (qt4/lib/libQtCore.so.4+0x22f3f3)
    #63 0x7f847ff852f6 in QEventDispatcherUNIX::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qt4/lib/libQtCore.so.4+0x2802f6)
    #64 0x7f8480687669 in QEventDispatcherX11::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qt4/lib/libQtGui.so.4+0x34d669)
    #65 0x7f847ff2df6b in QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qt4/lib/libQtCore.so.4+0x228f6b)
    #66 0x7f847ff2e331 in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (qt4/lib/libQtCore.so.4+0x229331)
    #67 0x7f8480d23c8a in QDialog::exec() (qt4/lib/libQtGui.so.4+0x9e9c8a)
    #68 0x7f84192a3e36 in IncidenceEditorNG::IncidenceAttachment::addAttachment() KDE/kde/kdepim/incidenceeditor-ng/incidenceattachment.cpp:153
    #69 0x7f84193d7b69 in IncidenceEditorNG::IncidenceAttachment::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) KDE/build-asan/kde/kdepim/incidenceeditor-ng/moc_incidenceattachment.cpp:78
    #70 0x7f847ff5a606 in QMetaObject::activate(QObject*, QMetaObject const*, int, void**) (qt4/lib/libQtCore.so.4+0x255606)
    #71 0x7f8480fd99ac in QAbstractButton::clicked(bool) (qt4/lib/libQtGui.so.4+0xc9f9ac)
    #72 0x7f8480b7a486 in QAbstractButtonPrivate::emitClicked() (qt4/lib/libQtGui.so.4+0x840486)
    #73 0x7f8480b7a2aa in QAbstractButtonPrivate::click() (qt4/lib/libQtGui.so.4+0x8402aa)
    #74 0x7f8480b7b75b in QAbstractButton::mouseReleaseEvent(QMouseEvent*) (qt4/lib/libQtGui.so.4+0x84175b)
    #75 0x7f84805f897d in QWidget::event(QEvent*) (qt4/lib/libQtGui.so.4+0x2be97d)
    #76 0x7f8480b7b580 in QAbstractButton::event(QEvent*) (qt4/lib/libQtGui.so.4+0x841580)
    #77 0x7f8480c71db5 in QPushButton::event(QEvent*) (qt4/lib/libQtGui.so.4+0x937db5)
    #78 0x7f848056f48e in QApplicationPrivate::notify_helper(QObject*, QEvent*) (qt4/lib/libQtGui.so.4+0x23548e)
    #79 0x7f8480572892 in QApplication::notify(QObject*, QEvent*) (qt4/lib/libQtGui.so.4+0x238892)
    #80 0x7f8482d5a340 in KApplication::notify(QObject*, QEvent*) KDE/kde/kdelibs/kdeui/kernel/kapplication.cpp:311
    #81 0x7f847ff32dc5 in QCoreApplication::notifyInternal(QObject*, QEvent*) (qt4/lib/libQtCore.so.4+0x22ddc5)
    #82 0x7f848057a02e in QCoreApplication::sendSpontaneousEvent(QObject*, QEvent*) (qt4/lib/libQtGui.so.4+0x24002e)
    #83 0x7f8480570530 in QApplicationPrivate::sendMouseEvent(QWidget*, QMouseEvent*, QWidget*, QWidget*, QWidget**, QPointer<QWidget>&, bool) (qt4/lib/libQtGui.so.4+0x236530)
    #84 0x7f84806415e4 in QETWidget::translateMouseEvent(_XEvent const*) (qt4/lib/libQtGui.so.4+0x3075e4)
    #85 0x7f848063cff5 in QApplication::x11ProcessEvent(_XEvent*) (qt4/lib/libQtGui.so.4+0x302ff5)
    #86 0x7f8480687455 in QEventDispatcherX11::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qt4/lib/libQtGui.so.4+0x34d455)
    #87 0x7f847ff2df6b in QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qt4/lib/libQtCore.so.4+0x228f6b)
    #88 0x7f847ff2e331 in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (qt4/lib/libQtCore.so.4+0x229331)
    #89 0x7f847ff335ed in QCoreApplication::exec() (qt4/lib/libQtCore.so.4+0x22e5ed)
    #90 0x7f8480571525 in QApplication::exec() (qt4/lib/libQtGui.so.4+0x237525)
    #91 0x44c792 in main (KDE/install-asan/bin/kontact+0x44c792)
    #92 0x7f847eb2976c (/lib/x86_64-linux-gnu/libc.so.6+0x2176c)
    #93 0x44819c in _start (KDE/install-asan/bin/kontact+0x44819c)
previously allocated by thread T0 here:
    #0 0x43353a in operator new(unsigned long) (KDE/install-asan/bin/kontact+0x43353a)
    #1 0x7f84192a3aad in IncidenceEditorNG::IncidenceAttachment::addAttachment() KDE/kde/kdepim/incidenceeditor-ng/incidenceattachment.cpp:145
    #2 0x7f84193d7b69 in IncidenceEditorNG::IncidenceAttachment::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) KDE/build-asan/kde/kdepim/incidenceeditor-ng/moc_incidenceattachment.cpp:78
    #3 0x7f847ff5a606 in QMetaObject::activate(QObject*, QMetaObject const*, int, void**) (qt4/lib/libQtCore.so.4+0x255606)
    #4 0x7f8480fd99ac in QAbstractButton::clicked(bool) (qt4/lib/libQtGui.so.4+0xc9f9ac)
    #5 0x7f8480b7a486 in QAbstractButtonPrivate::emitClicked() (qt4/lib/libQtGui.so.4+0x840486)
    #6 0x7f8480b7a2aa in QAbstractButtonPrivate::click() (qt4/lib/libQtGui.so.4+0x8402aa)
    #7 0x7f8480b7b75b in QAbstractButton::mouseReleaseEvent(QMouseEvent*) (qt4/lib/libQtGui.so.4+0x84175b)
    #8 0x7f84805f897d in QWidget::event(QEvent*) (qt4/lib/libQtGui.so.4+0x2be97d)
    #9 0x7f8480b7b580 in QAbstractButton::event(QEvent*) (qt4/lib/libQtGui.so.4+0x841580)
    #10 0x7f8480c71db5 in QPushButton::event(QEvent*) (qt4/lib/libQtGui.so.4+0x937db5)
    #11 0x7f848056f48e in QApplicationPrivate::notify_helper(QObject*, QEvent*) (qt4/lib/libQtGui.so.4+0x23548e)
    #12 0x7f8480572892 in QApplication::notify(QObject*, QEvent*) (qt4/lib/libQtGui.so.4+0x238892)
    #13 0x7f8482d5a340 in KApplication::notify(QObject*, QEvent*) KDE/kde/kdelibs/kdeui/kernel/kapplication.cpp:311
    #14 0x7f847ff32dc5 in QCoreApplication::notifyInternal(QObject*, QEvent*) (qt4/lib/libQtCore.so.4+0x22ddc5)
    #15 0x7f848057a02e in QCoreApplication::sendSpontaneousEvent(QObject*, QEvent*) (qt4/lib/libQtGui.so.4+0x24002e)
    #16 0x7f8480570530 in QApplicationPrivate::sendMouseEvent(QWidget*, QMouseEvent*, QWidget*, QWidget*, QWidget**, QPointer<QWidget>&, bool) (qt4/lib/libQtGui.so.4+0x236530)
    #17 0x7f84806415e4 in QETWidget::translateMouseEvent(_XEvent const*) (qt4/lib/libQtGui.so.4+0x3075e4)
    #18 0x7f848063cff5 in QApplication::x11ProcessEvent(_XEvent*) (qt4/lib/libQtGui.so.4+0x302ff5)
    #19 0x7f8480687455 in QEventDispatcherX11::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qt4/lib/libQtGui.so.4+0x34d455)
    #20 0x7f847ff2df6b in QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qt4/lib/libQtCore.so.4+0x228f6b)
    #21 0x7f847ff2e331 in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (qt4/lib/libQtCore.so.4+0x229331)
    #22 0x7f847ff335ed in QCoreApplication::exec() (qt4/lib/libQtCore.so.4+0x22e5ed)
    #23 0x7f8480571525 in QApplication::exec() (qt4/lib/libQtGui.so.4+0x237525)
    #24 0x44c792 in main (KDE/install-asan/bin/kontact+0x44c792)
    #25 0x7f847eb2976c (/lib/x86_64-linux-gnu/libc.so.6+0x2176c)
    #26 0x44819c in _start (KDE/install-asan/bin/kontact+0x44819c)
SUMMARY: AddressSanitizer: heap-use-after-free KDE/kde/kdepim/incidenceeditor-ng/incidenceattachment.cpp:154 IncidenceEditorNG::IncidenceAttachment::addAttachment()
Shadow bytes around the buggy address:
  0x0c0e80025920: 00 00 00 00 00 fa fa fa fa fa 00 00 00 00 00 00
  0x0c0e80025930: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c0e80025940: 00 fa fa fa fa fa 00 00 00 00 00 00 00 00 00 fa
  0x0c0e80025950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e80025960: fa fa 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
=>0x0c0e80025970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fd]fd
  0x0c0e80025980: fd fd fd fd fd fd fd fa fa fa fa fa 00 00 00 00
  0x0c0e80025990: 00 00 00 00 00 fa fa fa fa fa fd fd fd fd fd fd
  0x0c0e800259a0: fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e800259b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e800259c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap right redzone:    fb
  Freed heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==3171==ABORTING
Comment 1 Santhiar 2015-12-16 15:13:40 UTC 
Sorry, the last comment should have said - to repro in a later version of korganizer, say
"qdbus org.kde.korganizer /korganizer/MainWindow_1/actions/file_quit trigger"

I shall be happy to supply any other information to help fix this potential use-after-free vulnerability
Comment 2 Denis Kurz 2017-08-28 20:18:40 UTC 
Sorry to say, Santhiar, but this bug will not be fixed by us in the version you used. 4.x versions have been unsupported for several years now.

However, I submitted a patch to phabricator [1] which might be backported by your distributor. As soon as the patch passes review, you might want to ask them. I hope that 5.6.1 will be the first released version that contains the fix.

The bug is still reproducible in 5.6.0, which is why I bothered investigating it :-P

[1] https://phabricator.kde.org/D7591
Comment 3 Denis Kurz 2018-02-04 20:12:47 UTC 
Git commit c1f5f69291226fb08d1d744059243f71b91fbacb by Denis Kurz.
Committed on 04/02/2018 at 20:12.
Pushed by dkurz into branch 'Applications/17.12'.

Fix use-after-free

Summary:
We now detect if IncidenceAttachment is deleted while the
AttachmentEditDialog is shown. There were three potential crashes
(deletion of item; access to mAttachmentView; call checkDirtyStatus);
the first of them actually was met in the wild in Bug 356053. Fixing
only the deletion of item led to the other two.
FIXED-IN: 5.6.1

Test Plan:
Compiled; repeated the steps described in Bug 356053. The crash
happens without the patch; doesn't happen with the patch.

Reviewers: #kde_pim, dvratil

Reviewed By: #kde_pim, dvratil

Subscribers: winterz

Tags: #kde_pim

Differential Revision: https://phabricator.kde.org/D7591

M  +10   -8    src/incidenceattachment.cpp

https://commits.kde.org/incidenceeditor/c1f5f69291226fb08d1d744059243f71b91fbacb
Comment 4 Denis Kurz 2018-02-05 07:12:03 UTC 
Nice catch, thanks Christoph!