Bug 357341

Summary:	kate .gnupg/secring.gpg crashes kate
Product:	[Frameworks and Libraries] frameworks-kcodecs	Reporter:	micu <micuintus>
Component:	general	Assignee:	kdelibs bugs <kdelibs-bugs>
Status:	RESOLVED FIXED
Severity:	crash	CC:	davide, egorov, kdespam34fb987, rlaggren, simonandric5
Priority:	NOR	Keywords:	drkonqi
Version:	5.19.0
Target Milestone:	---
Platform:	Fedora RPMs
OS:	Linux
Latest Commit:	http://commits.kde.org/kcodecs/d9a99dce9d63cab0429ac94acb160304e2bfa36f	Version Fixed In:
Sentry Crash Report:
Attachments:	gdb backtrace with additional info

Description micu 2015-12-30 14:37:58 UTC

Application: kate (15.08.3)

Qt Version: 5.5.1
Operating System: Linux 4.2.8-300.fc23.x86_64 x86_64
Distribution: "Fedora release 23 (Twenty Three)"

-- Information about the crash:
- What I was doing when the application crashed:
I simply entered "kate .gnupg/secring.gpg"
then kate crashed

The crash can be reproduced sometimes.

-- Backtrace:
Application: Kate (kate), signal: Segmentation fault
Using host libthread_db library "/lib64/libthread_db.so.1".
[Current thread is 1 (Thread 0x7f40dcbe8900 (LWP 3547))]

Thread 2 (Thread 0x7f40bd8cc700 (LWP 3548)):
#0  0x00007f40d54c9ffd in poll () at /lib64/libc.so.6
#1  0x00007f40d23de272 in _xcb_conn_wait () at /lib64/libxcb.so.1
#2  0x00007f40d23dfee7 in xcb_wait_for_event () at /lib64/libxcb.so.1
#3  0x00007f40c029dda9 in QXcbEventReader::run() () at /lib64/libQt5XcbQpa.so.5
#4  0x00007f40d60d23ce in QThreadPrivate::start(void*) () at /lib64/libQt5Core.so.5
#5  0x00007f40d368e60a in start_thread () at /lib64/libpthread.so.0
#6  0x00007f40d54d5a9d in clone () at /lib64/libc.so.6

Thread 1 (Thread 0x7f40dcbe8900 (LWP 3547)):
[KCrash Handler]
#5  0x00007f40d8f95bc1 in kencodingprober::UnicodeGroupProber::HandleData(char const*, unsigned int) () at /lib64/libKF5Codecs.so.5
#6  0x00007f40d8f97a33 in kencodingprober::nsMBCSGroupProber::HandleData(char const*, unsigned int) () at /lib64/libKF5Codecs.so.5
#7  0x00007f40d8f9c0f8 in kencodingprober::nsUniversalDetector::HandleData(char const*, unsigned int) () at /lib64/libKF5Codecs.so.5
#8  0x00007f40d8f8d00c in KEncodingProber::feed(char const*, int) () at /lib64/libKF5Codecs.so.5
#9  0x00007f40dc219821 in Kate::TextBuffer::load(QString const&, bool&, bool&, int&, bool) () at /lib64/libKF5TextEditor.so.5
#10 0x00007f40dc299fbf in KateBuffer::openFile(QString const&, bool) () at /lib64/libKF5TextEditor.so.5
#11 0x00007f40dc28f5f7 in KTextEditor::DocumentPrivate::openFile() () at /lib64/libKF5TextEditor.so.5
#12 0x00007f40dbf2ca31 in KParts::ReadOnlyPartPrivate::openLocalFile() () at /lib64/libKF5Parts.so.5
#13 0x00007f40dbf2d960 in KParts::ReadOnlyPart::openUrl(QUrl const&) () at /lib64/libKF5Parts.so.5
#14 0x00007f40dc279e79 in KTextEditor::DocumentPrivate::openUrl(QUrl const&) () at /lib64/libKF5TextEditor.so.5
#15 0x00007f40dc862c66 in KateDocManager::openUrl(QUrl const&, QString const&, bool, KateDocumentInfo const&) () at /lib64/libkdeinit5_kate.so
#16 0x00007f40dc86329a in KateDocManager::openUrls(QList<QUrl> const&, QString const&, bool, KateDocumentInfo const&) () at /lib64/libkdeinit5_kate.so
#17 0x00007f40dc8757c7 in KateViewManager::openUrls(QList<QUrl> const&, QString const&, bool, KateDocumentInfo const&) () at /lib64/libkdeinit5_kate.so
#18 0x00007f40dc8520b1 in KateApp::startupKate() () at /lib64/libkdeinit5_kate.so
#19 0x00007f40dc85336d in KateApp::init() () at /lib64/libkdeinit5_kate.so
#20 0x00007f40dc8acfd1 in kdemain () at /lib64/libkdeinit5_kate.so
#21 0x00007f40d53f3580 in __libc_start_main () at /lib64/libc.so.6
#22 0x000055d7b5d6fb49 in _start ()

Reported using DrKonqi

Comment 1 Boris Egorov 2016-01-06 09:02:39 UTC

I can reproduce it. It looks like the problem is in kcodecs.
UnicodeGroupProber::HandleData has this code:

    if (4 >= aBuf[1] && aBuf[1] >= 0 && isprint(aBuf[0])) {

where isprint is a macro:

enum {
// non-relevant
    CTYPE_PRINT  = 1 << 6,
// non-relevant
};
#define ctype_test(c, t) ((ctype_data[(unsigned short)c] & t) != 0)
#define isprint(c)  ctype_test((c), CTYPE_PRINT)

And sometimes aBuf contains negative values. So we got an out-of-bounds index for ctype_data array: c is negative in  "(unsigned short)c".

I don't know what to do with this, but I think it is a kcodecs bug.

Comment 2 Boris Egorov 2016-01-06 09:03:32 UTC

Created attachment 96479 [details]
gdb backtrace with additional info

Comment 3 Dominik Haumann 2016-03-24 19:55:52 UTC

Trace from current sources, tested with file from bug #360797:
#0  0x00007ffff48d1e66 in kencodingprober::UnicodeGroupProber::HandleData(char const*, unsigned int) (this=0x7cc6b0, aBuf=0xd38f90 "\341\001\201P\212u\236\273@\242\346\203\001\254U\203\002\310*\203\003\254F\210\004\210\005\230\004\234\006\201\a\202a\274\362\266J\300\326o\326\210\b\377\023\210\t\377\023\203\025\214\356V\211\021\234\022\210", <incomplete sequence \303>, aLen=63) at frameworks/kcodecs/src/probers/UnicodeGroupProber.cpp:89
#1  0x00007ffff48d4046 in kencodingprober::nsMBCSGroupProber::HandleData(char const*, unsigned int) (this=0xa777a0, aBuf=0xda3098 "\341\001", aLen=120)
    at frameworks/kcodecs/src/probers/nsMBCSGroupProber.cpp:119
#2  0x00007ffff48d56eb in kencodingprober::nsUniversalDetector::HandleData(char const*, unsigned int) (this=0xd42600, aBuf=0xda3098 "\341\001", aLen=120)
    at frameworks/kcodecs/src/probers/nsUniversalDetector.cpp:149
#3  0x00007ffff48c9c22 in KEncodingProber::feed(char const*, int) (this=0x7fffffffc010, data=0xda3098 "\341\001", len=120)
    at frameworks/kcodecs/src/kencodingprober.cpp:181
#4  0x00007ffff76cdee8 in Kate::TextLoader::readLine(int&, int&) (this=0x7fffffffc120, offset=@0x7fffffffc18c: 0, length=@0x7fffffffc188: 0)
    at frameworks/ktexteditor/src/buffer/katetextloader.h:266
#5  0x00007ffff76cb2f0 in Kate::TextBuffer::load(QString const&, bool&, bool&, int&, bool) (this=
    0x7df1e0, filename=..., encodingErrors=@0x7df2a8: false, tooLongLinesWrapped=@0x7df2a9: false, longestLineLoaded=@0x7df2ac: 0, enforceTextCodec=false)
    at frameworks/ktexteditor/src/buffer/katetextbuffer.cpp:621
#6  0x00007ffff777aef3 in KateBuffer::openFile(QString const&, bool) (this=0x7df1e0, m_file=..., enforceTextCodec=false)
    at frameworks/ktexteditor/src/document/katebuffer.cpp:195
#7  0x00007ffff775133e in KTextEditor::DocumentPrivate::openFile() (this=0x7d4cc0) at frameworks/ktexteditor/src/document/katedocument.cpp:2252
#8  0x00007ffff6f57035 in KParts::ReadOnlyPartPrivate::openLocalFile() (this=0x7cc280) at frameworks/kparts/src/readonlypart.cpp:187
#9  0x00007ffff6f56cc2 in KParts::ReadOnlyPart::openUrl(QUrl const&) (this=0x7d4cc0, url=...) at frameworks/kparts/src/readonlypart.cpp:150
#10 0x00007ffff7753c44 in KTextEditor::DocumentPrivate::openUrl(QUrl const&) (this=0x7d4cc0, url=...) at frameworks/ktexteditor/src/document/katedocument.cpp:2596
#11 0x000000000041bbf1 in KWrite::loadURL(QUrl const&) (this=0x7398b0, url=...) at kde/applications/kate/kwrite/kwrite.cpp:202
#12 0x00000000004176e0 in main(int, char**) (argc=2, argv=0x7fffffffd9a8) at kde/app

And here the valgrind trace for the same file:
==26843== Conditional jump or move depends on uninitialised value(s)
==26843==    at 0x8137D93: kencodingprober::UnicodeGroupProber::HandleData(char const*, unsigned int) (UnicodeGroupProber.cpp:84)
==26843==    by 0x813A045: kencodingprober::nsMBCSGroupProber::HandleData(char const*, unsigned int) (nsMBCSGroupProber.cpp:119)
==26843==    by 0x813B6EA: kencodingprober::nsUniversalDetector::HandleData(char const*, unsigned int) (nsUniversalDetector.cpp:149)
==26843==    by 0x812FC21: KEncodingProber::feed(char const*, int) (kencodingprober.cpp:181)
==26843==    by 0x4EF8EE7: Kate::TextLoader::readLine(int&, int&) (katetextloader.h:266)
==26843==    by 0x4EF62EF: Kate::TextBuffer::load(QString const&, bool&, bool&, int&, bool) (katetextbuffer.cpp:621)
==26843==    by 0x4FA5EF2: KateBuffer::openFile(QString const&, bool) (katebuffer.cpp:195)
==26843==    by 0x4F7C33D: KTextEditor::DocumentPrivate::openFile() (katedocument.cpp:2252)
==26843==    by 0x5A9A034: KParts::ReadOnlyPartPrivate::openLocalFile() (readonlypart.cpp:187)
==26843==    by 0x5A99CC1: KParts::ReadOnlyPart::openUrl(QUrl const&) (readonlypart.cpp:150)
==26843==    by 0x4F7EC43: KTextEditor::DocumentPrivate::openUrl(QUrl const&) (katedocument.cpp:2596)
==26843==    by 0x41BBF0: KWrite::loadURL(QUrl const&) (kwrite.cpp:202)
==26843== 
==26843== Conditional jump or move depends on uninitialised value(s)
==26843==    at 0x8137E1F: kencodingprober::UnicodeGroupProber::HandleData(char const*, unsigned int) (UnicodeGroupProber.cpp:85)
==26843==    by 0x813A045: kencodingprober::nsMBCSGroupProber::HandleData(char const*, unsigned int) (nsMBCSGroupProber.cpp:119)
==26843==    by 0x813B6EA: kencodingprober::nsUniversalDetector::HandleData(char const*, unsigned int) (nsUniversalDetector.cpp:149)
==26843==    by 0x812FC21: KEncodingProber::feed(char const*, int) (kencodingprober.cpp:181)
==26843==    by 0x4EF8EE7: Kate::TextLoader::readLine(int&, int&) (katetextloader.h:266)
==26843==    by 0x4EF62EF: Kate::TextBuffer::load(QString const&, bool&, bool&, int&, bool) (katetextbuffer.cpp:621)
==26843==    by 0x4FA5EF2: KateBuffer::openFile(QString const&, bool) (katebuffer.cpp:195)
==26843==    by 0x4F7C33D: KTextEditor::DocumentPrivate::openFile() (katedocument.cpp:2252)
==26843==    by 0x5A9A034: KParts::ReadOnlyPartPrivate::openLocalFile() (readonlypart.cpp:187)
==26843==    by 0x5A99CC1: KParts::ReadOnlyPart::openUrl(QUrl const&) (readonlypart.cpp:150)
==26843==    by 0x4F7EC43: KTextEditor::DocumentPrivate::openUrl(QUrl const&) (katedocument.cpp:2596)
==26843==    by 0x41BBF0: KWrite::loadURL(QUrl const&) (kwrite.cpp:202)
==26843== 
==26843== 
==26843== Process terminating with default action of signal 11 (SIGSEGV)
==26843==  Bad permissions for mapped region at address 0x8170F22
==26843==    at 0x8137E66: kencodingprober::UnicodeGroupProber::HandleData(char const*, unsigned int) (UnicodeGroupProber.cpp:89)
==26843==    by 0x813A045: kencodingprober::nsMBCSGroupProber::HandleData(char const*, unsigned int) (nsMBCSGroupProber.cpp:119)
==26843==    by 0x813B6EA: kencodingprober::nsUniversalDetector::HandleData(char const*, unsigned int) (nsUniversalDetector.cpp:149)
==26843==    by 0x812FC21: KEncodingProber::feed(char const*, int) (kencodingprober.cpp:181)
==26843==    by 0x4EF8EE7: Kate::TextLoader::readLine(int&, int&) (katetextloader.h:266)
==26843==    by 0x4EF62EF: Kate::TextBuffer::load(QString const&, bool&, bool&, int&, bool) (katetextbuffer.cpp:621)
==26843==    by 0x4FA5EF2: KateBuffer::openFile(QString const&, bool) (katebuffer.cpp:195)
==26843==    by 0x4F7C33D: KTextEditor::DocumentPrivate::openFile() (katedocument.cpp:2252)
==26843==    by 0x5A9A034: KParts::ReadOnlyPartPrivate::openLocalFile() (readonlypart.cpp:187)
==26843==    by 0x5A99CC1: KParts::ReadOnlyPart::openUrl(QUrl const&) (readonlypart.cpp:150)
==26843==    by 0x4F7EC43: KTextEditor::DocumentPrivate::openUrl(QUrl const&) (katedocument.cpp:2596)
==26843==    by 0x41BBF0: KWrite::loadURL(QUrl const&) (kwrite.cpp:202)

Comment 4 Dominik Haumann 2016-03-24 19:56:27 UTC

*** Bug 360797 has been marked as a duplicate of this bug. ***

Comment 5 Dominik Haumann 2016-03-29 15:52:27 UTC

Git commit d9a99dce9d63cab0429ac94acb160304e2bfa36f by Dominik Haumann.
Committed on 29/03/2016 at 15:52.
Pushed by dhaumann into branch 'master'.

encoding detection: fix crash in wrong usage of isprint

If the first characters was negative, we always hit a crash in the
encoding detection. This patch fixes this.
REVIEW: 127488
CHANGELOG: encoding detection: fix crash in wrong usage of isprint (bug #357341)

A  +-    --    autotests/data/binary_data
M  +11   -0    autotests/kencodingprobertest.cpp
M  +3    -1    src/probers/UnicodeGroupProber.cpp

http://commits.kde.org/kcodecs/d9a99dce9d63cab0429ac94acb160304e2bfa36f

Comment 6 Dominik Haumann 2016-04-05 19:54:25 UTC

*** Bug 343261 has been marked as a duplicate of this bug. ***

Comment 7 Dominik Haumann 2016-05-29 10:24:19 UTC

*** Bug 362273 has been marked as a duplicate of this bug. ***