Bug 514900

Summary: Crash in maliit-keyboard (SIGSEGV in _mm_loadu_si128) due to invalid surrounding_text length (6881396)
Product: [Plasma] kwin Reporter: Eshan <eshansharma1368>
Component: virtual-keyboardAssignee: KWin default assignee <kwin-bugs-null>
Status: RESOLVED UPSTREAM    
Severity: crash CC: johnparmitage, kde, kdedev
Priority: NOR    
Version First Reported In: 6.5.5   
Target Milestone: ---   
Platform: Fedora RPMs   
OS: Linux   
URL: https://github.com/maliit/keyboard/issues/262
Latest Commit: Version Fixed/Implemented In:
Sentry Crash Report:

Description Eshan 2026-01-21 13:43:08 UTC 
SUMMARY
Crash in maliit-keyboard (SIGSEGV in _mm_loadu_si128) due to invalid surrounding_text length (6881396)

STEPS TO REPRODUCE
1. Use Fedora 43 with KDE Plasma 6.5.5 on a Wayland session.
2. Ensure maliit-keyboard is active or set as the virtual keyboard.
3. Interact with text input fields, crash may occur.

OBSERVED RESULT
Maliit keyboard crashes

EXPECTED RESULT
Maliit keyboard should not crash

SOFTWARE/OS VERSIONS
Operating System: Fedora Linux 43 (Kinoite)
KDE Plasma Version: 6.5.5
KDE Frameworks Version: 6.22.0
Qt Version: 6.10.1
Kernel Version: 6.18.5-200.fc43.x86_64 (64-bit)
Graphics Platform: Wayland
Processors: 6 × Intel® Core™ i5-9400F CPU @ 2.90GHz
Graphics Processor: NVIDIA GeForce GTX 1650

ADDITIONAL INFORMATION
Full backtrace:
#0  _mm_loadu_si128(long long __vector(2) const*) (__P=<optimized out>)
at /usr/lib/gcc/x86_64-redhat-linux/15/include/emmintrin.h:1462
No locals.
#1  simdDecodeAscii (dst=<optimized out>, nextAscii=<optimized out>, src=<optimized out>, end=<optimized out>)
at codecs/qutfcodec.cpp:139
data = <error reading variable data (Cannot access memory at address 0x559dc37aa000)>
BitSpacing = 1
n = <optimized out>
#2  QUtf8::convertToUnicode (buffer=buffer@entry=0x7f89ee6df028, chars=chars@entry=0x559dc312cdf8 "", len=len@entry=6881396)
at codecs/qutfcodec.cpp:528
dst = 0x7f89ef3c9f66
src = 0x559dc37a9ff9 ""
end = 0x559dc37bce6c <error: Cannot access memory at address 0x559dc37bce6c>
nextAscii = <optimized out>
#3  0x00007f8a47db8a38 in QUtf8::convertToUnicode (chars=0x559dc312cdf8 "", len=6881396) at codecs/qutfcodec.cpp:487
result = {d = 0x7f89ee6df010}
data = 0x7f89ee6df028
end = <optimized out>
#4  0x00007f8a47c20aa9 in QString::fromUtf8_helper (str=<optimized out>, size=<optimized out>) at text/qstring.cpp:5598
No locals.
#5  0x00007f8a4963d62b in QString::fromUtf8 (str=<optimized out>, size=6881396) at /usr/include/qt5/QtCore/qstring.h:703
No locals.
#6  Maliit::Wayland::InputMethodContext::zwp_input_method_context_v1_surrounding_text (this=0x559dc2c39360, text=...,
cursor=6881396, anchor=7209071)
at /usr/src/debug/maliit-framework-2.3.0-10.fc43.x86_64/connection/waylandinputmethodconnection.cpp:600
utf8_text = @0x7ffc63150ea8: {d = 0x559dc312cde0}
__PRETTY_FUNCTION__ = <optimized out>
#7  0x00007f8a4963a4ba in QtWayland::zwp_input_method_context_v1::handle_surrounding_text (data=0x559dc2c39360,
--Type <RET> for more, q to quit, c to continue without paging--c
object=<optimized out>, text=<optimized out>, cursor=6881396, anchor=7209071)
at /usr/src/debug/maliit-framework-2.3.0-10.fc43.x86_64/redhat-linux-build/qwayland-input-method-unstable-v1.cpp:207
No locals.
#8  0x00007f8a46fe5056 in ffi_call_unix64 () at ../src/x86/unix64.S:104
No locals.
#9  0x00007f8a46fe0d16 in ffi_call_int (cif=cif@entry=0x7ffc63151140,
fn=fn@entry=0x7f8a4963a450 <QtWayland::zwp_input_method_context_v1::handle_surrounding_text(void*, zwp_input_method_context_v1*, char const*, unsigned int, unsigned int)>, rvalue=<optimized out>, rvalue@entry=0x0, avalue=avalue@entry=0x7ffc63151210,
closure=closure@entry=0x0) at ../src/x86/ffi64.c:676
classes = {X86_64_INTEGERSI_CLASS, X86_64_NO_CLASS, 1191090528, 32650}
stack = <optimized out>
argp = 0x7ffc63150f90 ""
arg_types = <optimized out>
gprcount = 5
ssecount = <optimized out>
ngpr = 1
nsse = 0
i = <optimized out>
avn = <optimized out>
flags = <optimized out>
reg_args = <optimized out>
#10 0x00007f8a46fe37ae in ffi_call (cif=cif@entry=0x7ffc63151140,
fn=0x7f8a4963a450 <QtWayland::zwp_input_method_context_v1::handle_surrounding_text(void*, zwp_input_method_context_v1*, char const*, unsigned int, unsigned int)>, rvalue=rvalue@entry=0x0, avalue=avalue@entry=0x7ffc63151210) at ../src/x86/ffi64.c:713
arg_types = <optimized out>
i = <optimized out>
nargs = <optimized out>
max_reg_struct_size = <optimized out>
#11 0x00007f8a472e7feb in wl_closure_invoke (closure=closure@entry=0x7f8a200049f0, target=<optimized out>,
target@entry=0x7f8a28001510, opcode=opcode@entry=0, data=<optimized out>, flags=1) at ../src/connection.c:1241
count = 3
cif = {abi = FFI_UNIX64, nargs = 5, arg_types = 0x7ffc63151160, rtype = 0x7f8a46fe98c0 <ffi_type_void>, bytes = 0,
flags = 0}
ffi_types = {0x7f8a46fe99c0 <ffi_type_pointer>, 0x7f8a46fe99c0 <ffi_type_pointer>, 0x7f8a46fe99c0 <ffi_type_pointer>,
0x7f8a46fe9960 <ffi_type_uint32>, 0x7f8a46fe9960 <ffi_type_uint32>,
0x7f8a491359d5 <QSGGuiThreadRenderLoop::exposureChanged(QQuickWindow*)+117>, 0x559dc2c6b820, 0x7ffc631512e0, 0x0,
0x559dc2c6af20, 0x559dc29794b0, 0x3a9ae7e3db311900, 0x1, 0x559dc2c6af20, 0x7ffc631512e0, 0x559dc29794b0,
0x7ffc63151250, 0x7f8a4811a9a5 <QWindow::event(QEvent*)+293>, 0x160000000b, 0x3a9ae7e3db311900, 0x559dc2c6af20,
0x559dc2c6af20}
ffi_args = {0x7ffc63151120, 0x7ffc63151128, 0x7f8a20004a08, 0x7f8a20004a10, 0x7f8a20004a18, 0x0, 0x20, 0x7f8a4343ba40,
0x7ffc63151270, 0x7f8a47621c84 <__syscall_cancel+20>, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x7f8a488a21c8 <g_wakeup_signal+136>, 0x1, 0x3a9ae7e3db311900,
0x7f8a4870c010 <QWindowSystemInterfacePrivate::windowSystemEventQueue>, 0x559dc364e880}
implementation = <optimized out>
#12 0x00007f8a472e8e49 in dispatch_event (display=display@entry=0x559dc29862e0, queue=queue@entry=0x559dc29863d8)
at ../src/wayland-client.c:1707
closure = 0x7f8a200049f0
proxy = 0x7f8a28001510
opcode = 0
proxy_destroyed = <optimized out>
#13 0x00007f8a472e9243 in dispatch_queue (display=0x559dc29862e0, queue=0x559dc29863d8) at ../src/wayland-client.c:1853
count = 0
#14 wl_display_dispatch_queue_pending (display=0x559dc29862e0, queue=0x559dc29863d8) at ../src/wayland-client.c:2190
ret = <optimized out>
#15 0x00007f8a35475afe in QtWaylandClient::QWaylandDisplay::flushRequests (this=<optimized out>)
at /usr/src/debug/qt5-qtwayland-5.15.18-1.fc43.x86_64/src/client/qwaylanddisplay.cpp:255
No locals.
#16 0x00007f8a47d8ccb4 in QObject::event (this=<optimized out>, e=<optimized out>) at kernel/qobject.cpp:1347
mce = <optimized out>
sender = {previous = 0x0, receiver = 0x559dc2984440, sender = 0x559dc2a251b0, signal = 5}
#17 0x00007f8a47d5f778 in QCoreApplication::notifyInternal2 (receiver=0x559dc2984440, event=0x7f8a28001400)
at kernel/qcoreapplication.cpp:1064
selfRequired = true
result = false
cbdata = {0x559dc2984440, 0x7f8a28001400, 0x7ffc6315147f}
d = <optimized out>
threadData = 0x559dc29794b0
scopeLevelCounter = {threadData = 0x559dc29794b0}
#18 0x00007f8a47d5f992 in QCoreApplication::sendEvent (receiver=<optimized out>, event=<optimized out>)
at kernel/qcoreapplication.cpp:1462
No locals.
#19 0x00007f8a47d62ca8 in QCoreApplicationPrivate::sendPostedEvents (receiver=0x0, event_type=event_type@entry=0,
data=0x559dc29794b0) at kernel/qcoreapplication.cpp:1821
e = 0x7f8a28001400
pe = <optimized out>
r = 0x559dc2984440
relocker = <optimized out>
event_deleter = {d = 0x7f8a28001400}
locker = {_M_device = 0x559dc29794e0, _M_owns = true}
startOffset = 0
i = @0x559dc29794d4: 1
cleanup = {receiver = 0x0, event_type = 0, data = 0x559dc29794b0, exceptionCaught = true}
#20 0x00007f8a47d62f50 in QCoreApplication::sendPostedEvents (receiver=<optimized out>, event_type=0)
at kernel/qcoreapplication.cpp:1680
data = <optimized out>
#21 0x00007f8a47db54cf in postEventSourceDispatch (s=0x559dc2a25840) at kernel/qeventdispatcher_glib.cpp:277
source = 0x559dc2a25840
#22 0x00007f8a4884e2a3 in g_main_dispatch (context=0x7f8a30000f20) at ../glib/gmain.c:3565
dispatch = 0x7f8a47db54b0 <postEventSourceDispatch(GSource*, GSourceFunc, gpointer)>
prev_source = 0x0
begin_time_nsec = 36065968130
was_in_call = 0
user_data = 0x0
callback = 0x0
cb_funcs = 0x0
cb_data = 0x0
need_destroy = <optimized out>
source = 0x559dc2a25840
current = 0x559dc317a2e0
i = 0
__func__ = <optimized out>
#23 g_main_context_dispatch_unlocked (context=0x7f8a30000f20) at ../glib/gmain.c:4425
No locals.
#24 0x00007f8a488571f8 in g_main_context_iterate_unlocked (context=context@entry=0x7f8a30000f20, block=block@entry=1,
dispatch=dispatch@entry=1, self=<optimized out>) at ../glib/gmain.c:4490
max_priority = 2147483647
timeout_usec = 21985000
some_ready = 1
nfds = 1
allocated_nfds = <optimized out>
fds = <optimized out>
begin_time_nsec = <optimized out>
#25 0x00007f8a488573a3 in g_main_context_iteration (context=0x7f8a30000f20, may_block=1) at ../glib/gmain.c:4556
retval = <optimized out>
#26 0x00007f8a47db4f67 in QEventDispatcherGlib::processEvents (this=0x559dc2a49710, flags=...)
at kernel/qeventdispatcher_glib.cpp:423
d = 0x559dc2a24a60
canWait = <optimized out>
savedFlags = {i = 0}
result = <optimized out>
#27 0x00007f8a47d5e0e2 in QEventLoop::exec (this=this@entry=0x7ffc631517d0, flags=..., flags@entry=...)
at ../../include/QtCore/../../src/corelib/global/qflags.h:69
d = 0x559dc31354d0
threadData = <optimized out>
locker = {val = 94136062940584}
ref = <optimized out>
app = <optimized out>
#28 0x00007f8a47d664c4 in QCoreApplication::exec () at kernel/qcoreapplication.cpp:1375
threadData = 0x559dc29794b0
eventLoop = {<QObject> = {_vptr.QObject = 0x7f8a48083b28 <vtable for QEventLoop+16>, static staticMetaObject = {d = {
superdata = {direct = 0x0}, stringdata = 0x7f8a47fc1380 <qt_meta_stringdata_QObject>,
data = 0x7f8a47fc1260 <qt_meta_data_QObject>,
static_metacall = 0x7f8a47d93620 <QObject::qt_static_metacall(QObject*, QMetaObject::Call, int, void**)>,
relatedMetaObjects = 0x0, extradata = 0x0}}, d_ptr = {d = 0x559dc31354d0}, static staticQtMetaObject = {d = {
superdata = {direct = 0x0}, stringdata = 0x7f8a47fc4340 <qt_meta_stringdata_Qt>,
data = 0x7f8a47fc14a0 <qt_meta_data_Qt>, static_metacall = 0x0, relatedMetaObjects = 0x0, extradata = 0x0}}},
static staticMetaObject = {d = {superdata = {direct = 0x7f8a4807b3a0 <QObject::staticMetaObject>},
stringdata = 0x7f8a47fbd540 <qt_meta_stringdata_QEventLoop>, data = 0x7f8a47fbd4e0 <qt_meta_data_QEventLoop>,
static_metacall = 0x7f8a47d5ddc0 <QEventLoop::qt_static_metacall(QObject*, QMetaObject::Call, int, void**)>,
relatedMetaObjects = 0x0, extradata = 0x0}}}
returnCode = <optimized out>
#29 0x00007f8a48102bad in QGuiApplication::exec () at kernel/qguiapplication.cpp:1863
No locals.
#30 0x0000559dbd49ae0d in main (argc=<optimized out>, argv=<optimized out>)
at /usr/src/debug/maliit-keyboard-2.3.1-11.fc43.x86_64/src/keyboard/keyboard.cpp:40
app = {<QCoreApplication> = {<QObject> = {_vptr.QObject = 0x7f8a486f5260 <vtable for QGuiApplication+16>,
static staticMetaObject = {d = {superdata = {direct = 0x0},
stringdata = 0x7f8a47fc1380 <qt_meta_stringdata_QObject>, data = 0x7f8a47fc1260 <qt_meta_data_QObject>,
static_metacall = 0x7f8a47d93620 <QObject::qt_static_metacall(QObject*, QMetaObject::Call, int, void**)>,
relatedMetaObjects = 0x0, extradata = 0x0}}, d_ptr = {d = 0x559dc2979380}, static staticQtMetaObject = {d = {
superdata = {direct = 0x0}, stringdata = 0x7f8a47fc4340 <qt_meta_stringdata_Qt>,
data = 0x7f8a47fc14a0 <qt_meta_data_Qt>, static_metacall = 0x0, relatedMetaObjects = 0x0, extradata = 0x0}}},
static staticMetaObject = {d = {superdata = {direct = 0x7f8a4807b3a0 <QObject::staticMetaObject>},
stringdata = 0x7f8a47fbd740 <qt_meta_stringdata_QCoreApplication>,
data = 0x7f8a47fbd620 <qt_meta_data_QCoreApplication>,
static_metacall = 0x7f8a47d61040 <QCoreApplication::qt_static_metacall(QObject*, QMetaObject::Call, int, void**)>, relatedMetaObjects = 0x0, extradata = 0x0}}, static self = 0x7ffc63151870}, static staticMetaObject = {d = {superdata = {
direct = 0x7f8a48083cc0 <QCoreApplication::staticMetaObject>},
stringdata = 0x7f8a4862c860 <qt_meta_stringdata_QGuiApplication>,
data = 0x7f8a4862c5e0 <qt_meta_data_QGuiApplication>,
static_metacall = 0x7f8a48103c40 <QGuiApplication::qt_static_metacall(QObject*, QMetaObject::Call, int, void**)>,
relatedMetaObjects = 0x0, extradata = 0x0}}}
plugin = {<QObject> = {_vptr.QObject = 0x559dbd4d7000 <vtable for MaliitKeyboardPlugin+16>, static staticMetaObject = {
d = {superdata = {direct = 0x0}, stringdata = 0x7f8a47fc1380 <qt_meta_stringdata_QObject>,
data = 0x7f8a47fc1260 <qt_meta_data_QObject>,
static_metacall = 0x7f8a47d93620 <QObject::qt_static_metacall(QObject*, QMetaObject::Call, int, void**)>,
relatedMetaObjects = 0x0, extradata = 0x0}}, d_ptr = {d = 0x559dc2c4c350}, static staticQtMetaObject = {d = {
superdata = {direct = 0x0}, stringdata = 0x7f8a47fc4340 <qt_meta_stringdata_Qt>,
data = 0x7f8a47fc14a0 <qt_meta_data_Qt>, static_metacall = 0x0, relatedMetaObjects = 0x0,
extradata = 0x0}}}, <Maliit::Plugins::InputMethodPlugin> = {
_vptr.InputMethodPlugin = 0x559dbd4d7088 <vtable for MaliitKeyboardPlugin+152>}, static staticMetaObject = {d = {
superdata = {direct = 0x7f8a4807b3a0 <QObject::staticMetaObject>},
stringdata = 0x559dbd4cc440 <qt_meta_stringdata_MaliitKeyboardPlugin>,
data = 0x559dbd4c9b80 <qt_meta_data_MaliitKeyboardPlugin>,
static_metacall = 0x559dbd49b1c0 <MaliitKeyboardPlugin::qt_static_metacall(QObject*, QMetaObject::Call, int, void**)>, relatedMetaObjects = 0x0, extradata = 0x0}}}
inputMethod = {<QObject> = {_vptr.QObject = 0x7f8a496a3cf0 <vtable for Maliit::StandaloneInputMethod+16>,
static staticMetaObject = {d = {superdata = {direct = 0x0}, stringdata = 0x7f8a47fc1380 <qt_meta_stringdata_QObject>,
data = 0x7f8a47fc1260 <qt_meta_data_QObject>,
static_metacall = 0x7f8a47d93620 <QObject::qt_static_metacall(QObject*, QMetaObject::Call, int, void**)>,
relatedMetaObjects = 0x0, extradata = 0x0}}, d_ptr = {d = 0x559dc2c62250}, static staticQtMetaObject = {d = {
superdata = {direct = 0x0}, stringdata = 0x7f8a47fc4340 <qt_meta_stringdata_Qt>,
data = 0x7f8a47fc14a0 <qt_meta_data_Qt>, static_metacall = 0x0, relatedMetaObjects = 0x0, extradata = 0x0}}},
static staticMetaObject = {d = {superdata = {direct = 0x7f8a4807b3a0 <QObject::staticMetaObject>},
stringdata = 0x7f8a49683540 <qt_meta_stringdata_Maliit__StandaloneInputMethod>,
data = 0x7f8a49680440 <qt_meta_data_Maliit__StandaloneInputMethod>,
static_metacall = 0x7f8a495ff620 <Maliit::StandaloneInputMethod::qt_static_metacall(QObject*, QMetaObject::Call, int,void**)>, relatedMetaObjects = 0x0, extradata = 0x0}}, mConnection = std::unique_ptr<MInputContextConnection> = {
get() = 0x559dc2a24820}, mPlatform = {value = 0x559dc2c62390, d = 0x559dc2c623d0},
mWindowGroup = std::unique_ptr<Maliit::WindowGroup> = {get() = 0x559dc2c623f0},
mInputMethodHost = std::unique_ptr<Maliit::StandaloneInputMethodHost> = {get() = 0x559dc2c625e0},
mInputMethod = std::unique_ptr<MAbstractInputMethod> = {get() = 0x559dc2c63370}}
Comment 1 David Edmundson 2026-01-21 14:38:08 UTC 
If maliit crashes this needs maliit to fix it. Can you report it there please and link back any reports.
Comment 2 TraceyC 2026-01-29 12:05:53 UTC 
There have been a couple of other reports of this crash, so I'll use this as the parent report and I've created an upstream report
https://github.com/maliit/keyboard/issues/262
Comment 3 TraceyC 2026-01-29 12:09:18 UTC 
*** Bug 514891 has been marked as a duplicate of this bug. ***