Bug 82456

Summary: Corrupt indicies can make KMail allocate way too much memory (and crash)
Product: [Unmaintained] kmail Reporter: Malte S. Stretz <mss>
Component: generalAssignee: kdepim bugs <pim-bugs-null>
Status: RESOLVED DUPLICATE    
Severity: crash CC: sanskryt
Priority: NOR    
Version First Reported In: SVN (3.5 branch)   
Target Milestone: ---   
Platform: Gentoo Packages   
OS: Linux   
Latest Commit: Version Fixed/Implemented In:
Sentry Crash Report:

Description Malte S. Stretz 2004-05-29 18:25:03 UTC 
Version:           unknown (using KDE 3.2.2, Gentoo)
Compiler:          gcc version 3.3.2 20031218 (Gentoo Linux 3.3.2-r5, propolice-3.3-7)
OS:                Linux (i686) release 2.6.5-gentoo-r1

When I tried to work around bug 63218, I finally ran into the following crash. That happens also with KMail HEAD from a few hours ago.

The debug output:
mss@otherland ~ $ kmail --nofork
kmail: KMKernel::KMKernel
libkdenetwork: creating new pgp object
libkdenetwork: Kpgp: gpg found
kmail: No Qt-native utf-7 codec found; registering QUtf7Codec from libkdenetwork
kmail: instantating KPIM::IdentityManager
kmail: Identity::readConfig(): UOID = 2007011020 for identity named "Privat"
kmail: Identity::readConfig(): UOID = 1699921815 for identity named "Bernt Lorentz KG"
kmail: Identity::readConfig(): UOID = 141321523 for identity named "FH Wedel"
kmail: Identity::readConfig(): UOID = 294152705 for identity named "Mailinglists"
kmail: Identity::readConfig(): UOID = 973000246 for identity named "Stoltzenberg"
kio (KSycoca): Trying to open ksycoca from /var/tmp/kdecache-mss/ksycoca
kmail: pPopFilter set
kdecore (KConfigSkeleton): Creating KConfigSkeleton (0x8333688)
kdecore (KConfigSkeleton): KConfigSkeleton::readConfig()
kmail: KMailApplication::newInstance()
kmail: KMKernel::openReader called
QObject::connect: No such signal KMHeaders::itemAdded(QListViewItem*)
QObject::connect:  (sender name:   'headers')
QObject::connect:  (receiver name: 'headers quick search line')
kdecore (KAccel): WARNING: KKeySequence::init( seq ): key[0] is null.
kdecore (KAccel): WARNING: KKeySequence::init( seq ): key[0] is null.
kmail: setupSystray called
kmail: set Msg, force = true
khtml (part): DONE: 38
kmail: set Msg, force = true
khtml (part): DONE: 17
kmail: kmfolder_open == 5(1)
kmail: KMMDict::KMDict Size: 196613
QGArray::at: Absolute index 0 out of range
*** KMail got signal 11 (Crashing)
KCrash: crashing... crashRecursionCounter = 2
KCrash: Application Name = kmail path = <unknown> pid = 6345

The backtrace:
Using host libthread_db library "/lib/libthread_db.so.1".
[Thread debugging using libthread_db enabled]
[New Thread 16384 (LWP 6345)]
0x421803e8 in waitpid () from /lib/libpthread.so.0
#0  0x421803e8 in waitpid () from /lib/libpthread.so.0
#1  0x417812d4 in __JCR_LIST__ () from /usr/kde/cvs/lib/libkdecore.so.4
#2  0x416c62b0 in KCrash::defaultCrashHandler(int) (sig=11) at kcrash.cpp:246
#3  0x4217f1b3 in __pthread_sighandler () from /lib/libpthread.so.0
#4  <signal handler called>
#5  KMMsgDictREntry (this=0x87ebdd0, size=1296769059) at kmmsgdict.cpp:67
#6  0x4026be99 in KMMsgDict::readFolderIds(KMFolder*) (this=0x85022f8, 
    folder=0x8221ff8) at kmmsgdict.cpp:347
#7  0x402937ef in KMFolderMgr::readMsgDict(KMMsgDict*, KMFolderDir*, int) (
    this=0x81f9eb8, dict=0x85022f8, dir=0x821fb90, pass=1)
    at kmfoldermgr.cpp:502
#8  0x402937b3 in KMFolderMgr::readMsgDict(KMMsgDict*, KMFolderDir*, int) (
    this=0x81f9eb8, dict=0x85022f8, dir=0x81f9ee4, pass=1)
    at kmfoldermgr.cpp:502
#9  0x4030cf36 in KMKernel::msgDict() (this=0xbfffef40) at kmkernel.cpp:1626
#10 0x4022ec41 in KMHeaders::readSortOrder(bool) (this=0x8342310, 
    set_selection=true) at kmheaders.cpp:3058
#11 0x40229c5b in KMHeaders::updateMessageList(bool) (this=0x8342310, 
    set_selection=true) at kmheaders.cpp:2212
#12 0x40224f4d in KMHeaders::setFolder(KMFolder*, bool) (this=0x8342310, 
    aFolder=0x820c570, jumpToFirst=true) at kmheaders.cpp:987
#13 0x40379edb in KMMainWidget::folderSelected(KMFolder*, bool) (
    this=0x8339af8, aFolder=0x820c570, jumpToUnread=false)
    at kmmainwidget.cpp:1696
#14 0x40379c2e in KMMainWidget::folderSelected(KMFolder*) (this=0x0, 
    aFolder=0x0) at kmmainwidget.cpp:1621
#15 0x40371ee0 in KMMainWidget::qt_invoke(int, QUObject*) (this=0x8339af8, 
    _id=50, _o=0xbfffe730) at kmmainwidget.moc:478
#16 0x41a921f6 in QObject::activate_signal(QConnectionList*, QUObject*) ()
   from /usr/qt/3/lib/libqt-mt.so.3
#17 0x4021529d in KMFolderTree::folderSelected(KMFolder*) (this=0x83bfbe8, 
    t0=0x0) at kmfoldertree.moc:348
#18 0x40210bda in KMFolderTree::doFolderSelected(QListViewItem*) (
    this=0x83bfbe8, qlvi=0x840dc80) at kmfoldertree.cpp:810
#19 0x40384d48 in KMMainWidget::slotShowStartupFolder() (this=0x8339af8)
    at kmmainwidget.cpp:3168
#20 0x403726b2 in KMMainWidget::qt_invoke(int, QUObject*) (this=0x8339af8, 
    _id=153, _o=0xbfffe8c0) at kmmainwidget.moc:581
#21 0x41a9227c in QObject::activate_signal(QConnectionList*, QUObject*) ()
   from /usr/qt/3/lib/libqt-mt.so.3
#22 0x41dc268a in QSignal::signal(QVariant const&) ()
   from /usr/qt/3/lib/libqt-mt.so.3
#23 0x41aabfdd in QSignal::activate() () from /usr/qt/3/lib/libqt-mt.so.3
#24 0x41ab3713 in QSingleShotTimer::event(QEvent*) ()
   from /usr/qt/3/lib/libqt-mt.so.3
#25 0x41a36d6f in QApplication::internalNotify(QObject*, QEvent*) ()
   from /usr/qt/3/lib/libqt-mt.so.3
#26 0x41a3613b in QApplication::notify(QObject*, QEvent*) ()
   from /usr/qt/3/lib/libqt-mt.so.3
#27 0x4163e80e in KApplication::notify(QObject*, QEvent*) (this=0xbffff030, 
    receiver=0x8451dc0, event=0xbfffed00) at kapplication.cpp:511
#28 0x41a26645 in QEventLoop::activateTimers() ()
   from /usr/qt/3/lib/libqt-mt.so.3
#29 0x419e2446 in QEventLoop::processEvents(unsigned) ()
   from /usr/qt/3/lib/libqt-mt.so.3
#30 0x41a48d88 in QEventLoop::enterLoop() () from /usr/qt/3/lib/libqt-mt.so.3
#31 0x41a48c38 in QEventLoop::exec() () from /usr/qt/3/lib/libqt-mt.so.3
#32 0x41a36fc1 in QApplication::exec() () from /usr/qt/3/lib/libqt-mt.so.3
#33 0x0804aa95 in main (argc=0, argv=0x0) at main.cpp:108
Comment 1 Malte S. Stretz 2004-05-29 18:29:20 UTC 
Wow. The Magic Dup FInder tells me that this crash already happened almost half a year ago. It's bug 70406.
Comment 2 Malte S. Stretz 2004-05-29 20:46:32 UTC 
Even after I removed all (root) indicies, it still crashes.
Comment 3 Malte S. Stretz 2004-05-30 01:09:55 UTC 
Finally... got the problem.

It seems like I've got one corrupted index lying around which makes KMMsgDict::readFolderIds() create a new KMMsgDictREntry with 1296769059 elements. Which can't be allocated. But as the return value of array.resize(size) in the ctor isn't checked, KMail tries anyways. The size should probably limited to a reasonable size anyway to avoid stuff like bug 82455.

If the real reason for this big number isn't corruption (to get where it creates the entry it has to pass a few sanity checks), maybe that weird swapByteOrder macro (called in KMMsgDict::readFolderIds) is borked? If wanted, I can attach both the folder (it's an mbox, my virus collection ;) and the indicies.

I also noticed that KMFolderMgr::readMsgDict doesn't check the return value of KMMsgDict::readFolderIds though that one can fail.
Comment 4 Malte S. Stretz 2004-05-31 13:46:49 UTC 
*** Bug 82455 has been marked as a duplicate of this bug. ***
Comment 5 Till Adam 2004-06-29 22:32:13 UTC 
*** Bug 80410 has been marked as a duplicate of this bug. ***
Comment 6 Till Adam 2004-07-18 16:29:54 UTC 

*** This bug has been marked as a duplicate of 70406 ***