| Summary: | image-data in org.freedesktop.Notifications consistently crashes plasmashell | ||
|---|---|---|---|
| Product: | [Plasma] plasmashell | Reporter: | simonpatp |
| Component: | Notifications | Assignee: | Plasma Bugs List <plasma-bugs-null> |
| Status: | RESOLVED FIXED | ||
| Severity: | crash | CC: | akselmo, kde, nate |
| Priority: | NOR | ||
| Version First Reported In: | 5.27.5 | ||
| Target Milestone: | 1.0 | ||
| Platform: | Debian stable | ||
| OS: | Linux | ||
| Latest Commit: | https://invent.kde.org/plasma/plasma-workspace/-/commit/55a279591494e227eeaf1f21bc86084eeb0a7c19 | Version Fixed In: | |
| Sentry Crash Report: | |||
| Attachments: | Simple ruby script to trigger the crash | ||
|
Description
simonpatp
2024-02-07 22:18:31 UTC
Can reproduce. Operating System: Fedora Linux 39 KDE Plasma Version: 6.0.80 KDE Frameworks Version: 6.0.0 Qt Version: 6.6.0 Kernel Version: 6.7.3-200.fc39.x86_64 (64-bit) Graphics Platform: Wayland Processors: 12 × AMD Ryzen 5 3600 6-Core Processor Memory: 15.5 GiB of RAM Graphics Processor: AMD Radeon RX 6600 Backtrace with debug symbols
Program terminated with signal SIGABRT, Aborted.
#0 __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0)
at pthread_kill.c:44
44 return INTERNAL_SYSCALL_ERROR_P (ret) ? INTERNAL_SYSCALL_ERRNO (ret) : 0;
[Current thread is 1 (Thread 0x7f8b4d41a400 (LWP 2147))]
(gdb) bt
#0 __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0)
at pthread_kill.c:44
#1 0x00007f8b518ae8a3 in __pthread_kill_internal (signo=6, threadid=<optimized out>) at pthread_kill.c:78
#2 0x00007f8b5185c8ee in __GI_raise (sig=6) at ../sysdeps/posix/raise.c:26
#3 0x00007f8b55d65f44 in KCrash::defaultCrashHandler (sig=6)
at /home/akseli/Repositories/kde/src/kcrash/src/kcrash.cpp:586
#4 0x00007f8b5185c9a0 in <signal handler called> () at /lib64/libc.so.6
#5 __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0)
at pthread_kill.c:44
#6 0x00007f8b518ae8a3 in __pthread_kill_internal (signo=6, threadid=<optimized out>) at pthread_kill.c:78
#7 0x00007f8b5185c8ee in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#8 0x00007f8b518448ff in __GI_abort () at abort.c:79
#9 0x00007f8b5112ccf2 in _dbus_abort () at ../../dbus/dbus-sysdeps.c:101
#10 0x00007f8b51155102 in _dbus_warn_check_failed
(format=format@entry=0x7f8b5116224c "type %s %d not a basic type") at ../../dbus/dbus-internals.c:289
#11 0x00007f8b51155882 in _dbus_marshal_read_basic.constprop.0
(str=<optimized out>, pos=<optimized out>, type=118, value=<optimized out>, byte_order=<optimized out>, new_pos=0x0) at ../../dbus/dbus-marshal-basic.c:615
#12 0x00007f8b531af442 in q_dbus_message_iter_get_basic (value=0x7ffe7244d950, iter=0x4642d00)
at /usr/src/debug/qt6-qtbase-6.6.0-6.fc39.x86_64/src/dbus/qdbus_symbols_p.h:316
#13 qIterGet<int> (it=0x4642d00)
at /usr/src/debug/qt6-qtbase-6.6.0-6.fc39.x86_64/src/dbus/qdbusdemarshaller.cpp:35
#14 QDBusDemarshaller::toInt (this=0x4642ce0)
at /usr/src/debug/qt6-qtbase-6.6.0-6.fc39.x86_64/src/dbus/qdbusdemarshaller.cpp:75
#15 QDBusArgument::operator>> (this=<optimized out>, arg=@0x7ffe7244da64: 0)
at /usr/src/debug/qt6-qtbase-6.6.0-6.fc39.x86_64/src/dbus/qdbusargument.cpp:627
#16 QDBusArgument::operator>> (this=0x7ffe7244e5f8, arg=@0x7ffe7244da64: 0)
--Type <RET> for more, q to quit, c to continue without paging--c
at /usr/src/debug/qt6-qtbase-6.6.0-6.fc39.x86_64/src/dbus/qdbusargument.cpp:624
#17 0x00007f8b3594803d in NotificationManager::Notification::Private::decodeNotificationSpecImageHint
(arg=...)
at /home/akseli/Repositories/kde/src/plasma-workspace/libnotificationmanager/notification.cpp:127
#18 0x00007f8b3594ac6a in NotificationManager::Notification::Private::processHints
(this=0x65ccf90, hints=...)
at /home/akseli/Repositories/kde/src/plasma-workspace/libnotificationmanager/notification.cpp:416
#19 0x00007f8b35927f80 in NotificationManager::ServerPrivate::Notify
(this=0x2566dd0, app_name=..., replaces_id=0, app_icon=..., summary=..., body=..., actions=..., hints=..., timeout=-1) at /home/akseli/Repositories/kde/src/plasma-workspace/libnotificationmanager/server_p.cpp:167
#20 0x00007f8b359922b7 in NotificationsAdaptor::Notify
(this=0x25ffde0, app_name=..., replaces_id=0, app_icon=..., summary=..., body=..., actions=..., hints=..., timeout=-1)
at /home/akseli/Repositories/kde/build/plasma-workspace/libnotificationmanager/notificationsadaptor.cpp:69
#21 0x00007f8b35992618 in NotificationsAdaptor::qt_static_metacall
(_o=0x25ffde0, _c=QMetaObject::InvokeMetaMethod, _id=8, _a=0x7ffe7244f318)
at /home/akseli/Repositories/kde/build/plasma-workspace/libnotificationmanager/moc_notificationsadaptor.cpp:399
#22 0x00007f8b359929ab in NotificationsAdaptor::qt_metacall
(this=0x25ffde0, _c=QMetaObject::InvokeMetaMethod, _id=8, _a=0x7ffe7244f318)
at /home/akseli/Repositories/kde/build/plasma-workspace/libnotificationmanager/moc_notificationsadaptor.cpp:468
#23 0x00007f8b531cb479 in QDBusConnectionPrivate::deliverCall
(this=this@entry=0x7f8b380016a0, object=object@entry=0x25ffde0, msg=..., metaTypes=..., slotIdx=13)
at /usr/src/debug/qt6-qtbase-6.6.0-6.fc39.x86_64/src/dbus/qdbusintegrator.cpp:967
#24 0x00007f8b531cf095 in QDBusConnectionPrivate::activateCall
(this=this@entry=0x7f8b380016a0, object=0x25ffde0, flags=flags@entry=273, msg=...)
at /usr/src/debug/qt6-qtbase-6.6.0-6.fc39.x86_64/src/dbus/qdbusintegrator.cpp:876
#25 0x00007f8b531cf824 in QDBusConnectionPrivate::activateCall
(msg=..., flags=273, object=<optimized out>, this=0x7f8b380016a0)
at /usr/src/debug/qt6-qtbase-6.6.0-6.fc39.x86_64/src/dbus/qdbusintegrator.cpp:815
#26 QDBusConnectionPrivate::activateObject
(this=0x7f8b380016a0, node=..., msg=..., pathStartPos=<optimized out>)
at /usr/src/debug/qt6-qtbase-6.6.0-6.fc39.x86_64/src/dbus/qdbusintegrator.cpp:1451
#27 0x00007f8b531d1e8a in QDBusActivateObjectEvent::placeMetaCall (this=0x2e56ad0)
at /usr/src/debug/qt6-qtbase-6.6.0-6.fc39.x86_64/src/dbus/qdbusintegrator.cpp:1571
#28 0x00007f8b51ff3617 in QObject::event (this=0x2566dd0, e=0x2e56ad0)
at /usr/src/debug/qt6-qtbase-6.6.0-6.fc39.x86_64/src/corelib/kernel/qobject.cpp:1437
#29 0x00007f8b549c2b38 in QApplicationPrivate::notify_helper
(this=<optimized out>, receiver=0x2566dd0, e=0x2e56ad0)
at /usr/src/debug/qt6-qtbase-6.6.0-6.fc39.x86_64/src/widgets/kernel/qapplication.cpp:3290
#30 0x00007f8b51fa0ba8 in QCoreApplication::notifyInternal2 (receiver=0x2566dd0, event=0x2e56ad0)
at /usr/src/debug/qt6-qtbase-6.6.0-6.fc39.x86_64/src/corelib/kernel/qcoreapplication.cpp:1118
#31 0x00007f8b51fa0dad in QCoreApplication::sendEvent (receiver=<optimized out>, event=<optimized out>)
at /usr/src/debug/qt6-qtbase-6.6.0-6.fc39.x86_64/src/corelib/kernel/qcoreapplication.cpp:1536
#32 0x00007f8b51fa4aa5 in QCoreApplicationPrivate::sendPostedEvents
(receiver=0x0, event_type=0, data=0x5a8230)
at /usr/src/debug/qt6-qtbase-6.6.0-6.fc39.x86_64/src/corelib/kernel/qcoreapplication.cpp:1898
#33 0x00007f8b51fa4e1d in QCoreApplication::sendPostedEvents
(receiver=<optimized out>, event_type=<optimized out>)
at /usr/src/debug/qt6-qtbase-6.6.0-6.fc39.x86_64/src/corelib/kernel/qcoreapplication.cpp:1757
#34 0x00007f8b522410bf in postEventSourceDispatch (s=0x619e70)
at /usr/src/debug/qt6-qtbase-6.6.0-6.fc39.x86_64/src/corelib/kernel/qeventdispatcher_glib.cpp:243
#35 0x00007f8b50911e5c in g_main_dispatch (context=0x7f8b38000ef0) at ../glib/gmain.c:3476
#36 g_main_context_dispatch_unlocked (context=0x7f8b38000ef0) at ../glib/gmain.c:4284
#37 0x00007f8b5096cf18 in g_main_context_iterate_unlocked.isra.0
(context=context@entry=0x7f8b38000ef0, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at ../glib/gmain.c:4349
#38 0x00007f8b5090fad3 in g_main_context_iteration (context=0x7f8b38000ef0, may_block=1)
at ../glib/gmain.c:4414
#39 0x00007f8b5224096f in QEventDispatcherGlib::processEvents (this=0x5d6b60, flags=...)
at /usr/src/debug/qt6-qtbase-6.6.0-6.fc39.x86_64/src/corelib/kernel/qeventdispatcher_glib.cpp:393
#40 0x00007f8b51fad9bb in QEventLoop::exec (this=this@entry=0x7ffe7244fbf0, flags=..., flags@entry=...)
at /usr/src/debug/qt6-qtbase-6.6.0-6.fc39.x86_64/src/corelib/global/qflags.h:34
#41 0x00007f8b51fa97bd in QCoreApplication::exec ()
at /usr/src/debug/qt6-qtbase-6.6.0-6.fc39.x86_64/src/corelib/global/qflags.h:74
#42 0x00000000004428c0 in main (argc=2, argv=0x7ffe72450878)
at /home/akseli/Repositories/kde/src/plasma-workspace/shell/main.cpp:214
A possibly relevant merge request was started @ https://invent.kde.org/plasma/plasma-workspace/-/merge_requests/3881 Git commit 390d4fa6d2a8e7507021884edb5bd5207ee151e6 by Akseli Lahtinen. Committed on 08/02/2024 at 15:25. Pushed by akselmo into branch 'master'. Notification: ensure arg is StructureType when decoding ImageHint If `arg` is any other type than `StructureType`, broken imagehint would crash plasmashell. This change checks for the imagehint that it is correct type. It is better to return no image at all than crash whole shell. Tested with the ruby code attachment in the bug report. M +3 -0 libnotificationmanager/notification.cpp https://invent.kde.org/plasma/plasma-workspace/-/commit/390d4fa6d2a8e7507021884edb5bd5207ee151e6 Git commit d5549c4c1dc35ad6c2a6fcd8d8f643abb9116fc5 by Akseli Lahtinen. Committed on 08/02/2024 at 15:39. Pushed by akselmo into branch 'Plasma/6.0'. Notification: ensure arg is StructureType when decoding ImageHint If `arg` is any other type than `StructureType`, broken imagehint would crash plasmashell. This change checks for the imagehint that it is correct type. It is better to return no image at all than crash whole shell. Tested with the ruby code attachment in the bug report. (cherry picked from commit 390d4fa6d2a8e7507021884edb5bd5207ee151e6) M +3 -0 libnotificationmanager/notification.cpp https://invent.kde.org/plasma/plasma-workspace/-/commit/d5549c4c1dc35ad6c2a6fcd8d8f643abb9116fc5 A possibly relevant merge request was started @ https://invent.kde.org/plasma/plasma-workspace/-/merge_requests/3893 Git commit 5e964798da63304cb97b3647f71f893a7be4be3e by Fushan Wen. Committed on 12/02/2024 at 12:34. Pushed by fusionfuture into branch 'master'. appiumtests/notificationstest: ensure malformed image data can't cause a crash M +26 -0 appiumtests/notificationstest.py https://invent.kde.org/plasma/plasma-workspace/-/commit/5e964798da63304cb97b3647f71f893a7be4be3e A possibly relevant merge request was started @ https://invent.kde.org/plasma/plasma-workspace/-/merge_requests/3894 Git commit bbe3d49816a97f39fd1df986df1a1e1aa4277481 by Fushan Wen. Committed on 12/02/2024 at 13:37. Pushed by fusionfuture into branch 'Plasma/6.0'. appiumtests/notificationstest: ensure malformed image data can't cause a crash (cherry picked from commit 5e964798da63304cb97b3647f71f893a7be4be3e) M +26 -0 appiumtests/notificationstest.py https://invent.kde.org/plasma/plasma-workspace/-/commit/bbe3d49816a97f39fd1df986df1a1e1aa4277481 Git commit 55a279591494e227eeaf1f21bc86084eeb0a7c19 by Akseli Lahtinen. Committed on 04/03/2024 at 08:34. Pushed by akselmo into branch 'Plasma/5.27'. Notification: ensure arg is StructureType when decoding ImageHint If `arg` is any other type than `StructureType`, broken imagehint would crash plasmashell. This change checks for the imagehint that it is correct type. It is better to return no image at all than crash whole shell. Tested with the ruby code attachment in the bug report. (cherry picked from commit 390d4fa6d2a8e7507021884edb5bd5207ee151e6) M +3 -0 libnotificationmanager/notification.cpp https://invent.kde.org/plasma/plasma-workspace/-/commit/55a279591494e227eeaf1f21bc86084eeb0a7c19 |