Bug 356351

Summary: crash if I close ktnef when the open file error dialog is displayed
Product: [Applications] ktnef Reporter: Santhiar <santhiar.anirudh>
Component: generalAssignee: kdepim bugs <kdepim-bugs>
Status: RESOLVED FIXED    
Severity: crash    
Priority: NOR    
Version: 4.9   
Target Milestone: ---   
Platform: Other   
OS: Linux   
Latest Commit: http://commits.kde.org/kdepim/3fdd098084f39cca8a68d9bdb123394d99f1f249 Version Fixed In: 5.1
Sentry Crash Report:

Description Santhiar 2015-12-07 05:13:47 UTC 
I wanted to open a file using ktnef from the command line and close the application.
ktnef someUnhandledFile
followed by 
qdbus `qdbus | grep ktnef` /ktnef/MainWindow_1/actions/file_quit trigger
triggers a crash

Reproducible: Always

Steps to Reproduce:
1. Open a file (of a type ktnef does not handle) using ktnef
2. An error dialog will be displayed. While it is displayed,
3. Quit ktnef using "qdbus `qdbus | grep ktnef` /ktnef/MainWindow_1/actions/file_quit trigger"

Actual Results:  
ktnef crashes with the following stack:

Application: KTnef (ktnef), signal: Segmentation fault
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[Current thread is 1 (Thread 0x7fa1be8a0780 (LWP 23222))]

Thread 2 (Thread 0x7fa1acd9d700 (LWP 23224)):
#0  0x00007fa1b8d3e6f3 in select () from /lib/x86_64-linux-gnu/libc.so.6
#1  0x00007fa1b9a168bc in QProcessManager::run (this=0x7fa1b9e5a210 <processManager()::processManager>) at io/qprocess_unix.cpp:270
#2  0x00007fa1b98cbb2a in QThreadPrivate::start (arg=0x7fa1b9e5a210 <processManager()::processManager>) at thread/qthread_unix.cpp:361
#3  0x00007fa1b8a3ce9a in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0
#4  0x00007fa1b8d4538d in clone () from /lib/x86_64-linux-gnu/libc.so.6
#5  0x0000000000000000 in ?? ()

Thread 1 (Thread 0x7fa1be8a0780 (LWP 23222)):
[KCrash Handler]
#6  QPointer<QItemSelectionModel>::operator QItemSelectionModel* (this=0x2a8) at ../../include/QtCore/../../src/corelib/kernel/qpointer.h:78
#7  0x00007fa1bb6b915b in QAbstractItemView::selectionModel (this=0x1853450) at itemviews/qabstractitemview.cpp:766
#8  0x00007fa1bb77ffa9 in QTreeWidget::clear (this=0x1853450) at itemviews/qtreewidget.cpp:3273
#9  0x000000000041ccf3 in KTNEFView::setAttachments (this=0x1853450, list=...) at KDE/kde/applications/kdepim/ktnef/ktnefview.cpp:90
#10 0x0000000000417c30 in KTNEFMain::loadFile (this=0x1838dd0, filename=...) at KDE/kde/applications/kdepim/ktnef/ktnefmain.cpp:204
#11 0x000000000041db42 in main (argc=<optimized out>, argv=<optimized out>) at KDE/kde/applications/kdepim/ktnef/main.cpp:60

Expected Results:  
ktnef closes smoothly

This crash is actually a use-after-free. Repeating the steps above with ktnef built using AddressSanitizer results in the following report:

AddressSantizer Stack:
==24918==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c0000a3040 at pc 0x46e008 bp 0x7fff9be0c090 sp 0x7fff9be0c088
READ of size 8 at 0x60c0000a3040 thread T0
    #0 0x46e007 in KTNEFMain::loadFile(QString const&) (KDE/install-asan/bin/ktnef+0x46e007)
    #1 0x46f807 in KTNEFMain::openFile() (KDE/install-asan/bin/ktnef+0x46f807)
    #2 0x494412 in KTNEFMain::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) (KDE/install-asan/bin/ktnef+0x494412)
    #3 0x7f7edd7ca336 in QMetaObject::activate(QObject*, QMetaObject const*, int, void**) (qt4/lib/libQtCore.so.4+0x255336)
    #4 0x7f7edecf822c in QAction::triggered(bool) (qt4/lib/libQtGui.so.4+0x22522c)
    #5 0x7f7edecf8041 in QAction::activate(QAction::ActionEvent) (qt4/lib/libQtGui.so.4+0x225041)
    #6 0x7f7edecfa4d9 in QAction::trigger() (qt4/lib/libQtGui.so.4+0x2274d9)
    #7 0x7f7edf458da2 in QToolButton::nextCheckState() (qt4/lib/libQtGui.so.4+0x985da2)
    #8 0x7f7edf312fd3 in QAbstractButtonPrivate::click() (qt4/lib/libQtGui.so.4+0x83ffd3)
    #9 0x7f7edf31456b in QAbstractButton::mouseReleaseEvent(QMouseEvent*) (qt4/lib/libQtGui.so.4+0x84156b)
    #10 0x7f7edf458663 in QToolButton::mouseReleaseEvent(QMouseEvent*) (qt4/lib/libQtGui.so.4+0x985663)
    #11 0x7f7eded9178d in QWidget::event(QEvent*) (qt4/lib/libQtGui.so.4+0x2be78d)
    #12 0x7f7edf314390 in QAbstractButton::event(QEvent*) (qt4/lib/libQtGui.so.4+0x841390)
    #13 0x7f7edf458e38 in QToolButton::event(QEvent*) (qt4/lib/libQtGui.so.4+0x985e38)
    #14 0x7f7eded0829e in QApplicationPrivate::notify_helper(QObject*, QEvent*) (qt4/lib/libQtGui.so.4+0x23529e)
    #15 0x7f7eded0b6a2 in QApplication::notify(QObject*, QEvent*) (qt4/lib/libQtGui.so.4+0x2386a2)
    #16 0x7f7ee05ca340 in KApplication::notify(QObject*, QEvent*) KDE/kde/kdelibs/kdeui/kernel/kapplication.cpp:311
    #17 0x7f7edd7a2b15 in QCoreApplication::notifyInternal(QObject*, QEvent*) (qt4/lib/libQtCore.so.4+0x22db15)
    #18 0x7f7eded12e3e in QCoreApplication::sendSpontaneousEvent(QObject*, QEvent*) (qt4/lib/libQtGui.so.4+0x23fe3e)
    #19 0x7f7eded09340 in QApplicationPrivate::sendMouseEvent(QWidget*, QMouseEvent*, QWidget*, QWidget*, QWidget**, QPointer<QWidget>&, bool) (qt4/lib/libQtGui.so.4+0x236340)
    #20 0x7f7ededda3f4 in QETWidget::translateMouseEvent(_XEvent const*) (qt4/lib/libQtGui.so.4+0x3073f4)
    #21 0x7f7ededd5e05 in QApplication::x11ProcessEvent(_XEvent*) (qt4/lib/libQtGui.so.4+0x302e05)
    #22 0x7f7edee20265 in QEventDispatcherX11::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qt4/lib/libQtGui.so.4+0x34d265)
    #23 0x7f7edd79dedb in QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qt4/lib/libQtCore.so.4+0x228edb)
    #24 0x7f7edd79e1ed in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (qt4/lib/libQtCore.so.4+0x2291ed)
    #25 0x7f7edd7a3316 in QCoreApplication::exec() (qt4/lib/libQtCore.so.4+0x22e316)
    #26 0x7f7eded0a335 in QApplication::exec() (qt4/lib/libQtGui.so.4+0x237335)
    #27 0x483563 in main (KDE/install-asan/bin/ktnef+0x483563)
    #28 0x7f7edc39976c (/lib/x86_64-linux-gnu/libc.so.6+0x2176c)
    #29 0x454e7c in _start (KDE/install-asan/bin/ktnef+0x454e7c)
0x60c0000a3040 is located 64 bytes inside of 128-byte region [0x60c0000a3000,0x60c0000a3080)
freed by thread T0 here:
    #0 0x44049a in operator delete(void*) (KDE/install-asan/bin/ktnef+0x44049a)
    #1 0x46bf34 in KTNEFMain::~KTNEFMain() (KDE/install-asan/bin/ktnef+0x46bf34)
    #2 0x7f7edd7c3b6d in qDeleteInEventHandler(QObject*) (qt4/lib/libQtCore.so.4+0x24eb6d)
    #3 0x7f7edd7c36d7 in QObject::event(QEvent*) (qt4/lib/libQtCore.so.4+0x24e6d7)
    #4 0x7f7eded93155 in QWidget::event(QEvent*) (qt4/lib/libQtGui.so.4+0x2c0155)
    #5 0x7f7edf3b4d82 in QMainWindow::event(QEvent*) (qt4/lib/libQtGui.so.4+0x8e1d82)
    #6 0x7f7ee08ea133 in KMainWindow::event(QEvent*) KDE/kde/kdelibs/kdeui/widgets/kmainwindow.cpp:1126
    #7 0x7f7ee09f00b2 in KXmlGuiWindow::event(QEvent*) KDE/kde/kdelibs/kdeui/xmlgui/kxmlguiwindow.cpp:126
    #8 0x7f7eded0829e in QApplicationPrivate::notify_helper(QObject*, QEvent*) (qt4/lib/libQtGui.so.4+0x23529e)
    #9 0x7f7eded0e13b in QApplication::notify(QObject*, QEvent*) (qt4/lib/libQtGui.so.4+0x23b13b)
    #10 0x7f7ee05ca340 in KApplication::notify(QObject*, QEvent*) KDE/kde/kdelibs/kdeui/kernel/kapplication.cpp:311
    #11 0x7f7edd7a2b15 in QCoreApplication::notifyInternal(QObject*, QEvent*) (qt4/lib/libQtCore.so.4+0x22db15)
    #12 0x7f7edd7a7279 in QCoreApplication::sendEvent(QObject*, QEvent*) (qt4/lib/libQtCore.so.4+0x232279)
    #13 0x7f7edd7a4123 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) (qt4/lib/libQtCore.so.4+0x22f123)
    #14 0x7f7edd7f5026 in QEventDispatcherUNIX::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qt4/lib/libQtCore.so.4+0x280026)
    #15 0x7f7edee20479 in QEventDispatcherX11::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qt4/lib/libQtGui.so.4+0x34d479)
    #16 0x7f7edd79dedb in QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qt4/lib/libQtCore.so.4+0x228edb)
    #17 0x7f7edd79e1ed in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (qt4/lib/libQtCore.so.4+0x2291ed)
    #18 0x7f7edf4bca9a in QDialog::exec() (qt4/lib/libQtGui.so.4+0x9e9a9a)
    #19 0x7f7ee03569dc in KMessageBox::createKMessageBox(KDialog*, QIcon const&, QString const&, QStringList const&, QString const&, bool*, QFlags<KMessageBox::Option>, QString const&, QMessageBox::Icon) KDE/kde/kdelibs/kdeui/dialogs/kmessagebox.cpp:344
    #20 0x7f7ee0353fe1 in KMessageBox::createKMessageBox(KDialog*, QMessageBox::Icon, QString const&, QStringList const&, QString const&, bool*, QFlags<KMessageBox::Option>, QString const&) KDE/kde/kdelibs/kdeui/dialogs/kmessagebox.cpp:158
    #21 0x7f7ee0364d4a in KMessageBox::errorListWId(unsigned long, QString const&, QStringList const&, QString const&, QFlags<KMessageBox::Option>) KDE/kde/kdelibs/kdeui/dialogs/kmessagebox.cpp:854
    #22 0x7f7ee036440b in KMessageBox::error(QWidget*, QString const&, QString const&, QFlags<KMessageBox::Option>) KDE/kde/kdelibs/kdeui/dialogs/kmessagebox.cpp:821
    #23 0x46db45 in KTNEFMain::loadFile(QString const&) (KDE/install-asan/bin/ktnef+0x46db45)
    #24 0x46f807 in KTNEFMain::openFile() (KDE/install-asan/bin/ktnef+0x46f807)
    #25 0x494412 in KTNEFMain::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) (KDE/install-asan/bin/ktnef+0x494412)
    #26 0x7f7edd7ca336 in QMetaObject::activate(QObject*, QMetaObject const*, int, void**) (qt4/lib/libQtCore.so.4+0x255336)
    #27 0x7f7edecf822c in QAction::triggered(bool) (qt4/lib/libQtGui.so.4+0x22522c)
    #28 0x7f7edecf8041 in QAction::activate(QAction::ActionEvent) (qt4/lib/libQtGui.so.4+0x225041)
    #29 0x7f7edecfa4d9 in QAction::trigger() (qt4/lib/libQtGui.so.4+0x2274d9)
previously allocated by thread T0 here:
    #0 0x44021a in operator new(unsigned long) (KDE/install-asan/bin/ktnef+0x44021a)
    #1 0x4833b4 in main (KDE/install-asan/bin/ktnef+0x4833b4)
    #2 0x7f7edc39976c (/lib/x86_64-linux-gnu/libc.so.6+0x2176c)
SUMMARY: AddressSanitizer: heap-use-after-free ??:0 KTNEFMain::loadFile(QString const&)
Shadow bytes around the buggy address:
  0x0c188000c5b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c188000c5c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c188000c5d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c188000c5e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c188000c5f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c188000c600: fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd
  0x0c188000c610: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c188000c620: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
  0x0c188000c630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07
  0x0c188000c640: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c188000c650: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap right redzone:    fb
  Freed heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==24918==ABORTING

ktnef version details
---------------------------
Qt: 4.8.7
KDE Development Platform: 4.14.13
KTnef: 4.14.10
Comment 1 Laurent Montel 2015-12-07 06:24:11 UTC 
Git commit 3fdd098084f39cca8a68d9bdb123394d99f1f249 by Montel Laurent.
Committed on 07/12/2015 at 06:23.
Pushed by mlaurent into branch 'Applications/15.12'.

Fix Bug 356351 - crash if I close ktnef when the open file error dialog is displayed

FIXED-IN: 5.1

M  +2    -2    ktnef/ktnefmain.cpp

http://commits.kde.org/kdepim/3fdd098084f39cca8a68d9bdb123394d99f1f249
Comment 2 Santhiar 2015-12-17 06:27:27 UTC 
*** Bug 356812 has been marked as a duplicate of this bug. ***