Bug 135456 - khtml malformed html crash
Summary: khtml malformed html crash
Status: RESOLVED FIXED
Alias: None
Product: kio
Classification: Frameworks and Libraries
Component: general (show other bugs)
Version: unspecified
Platform: Fedora RPMs Linux
: NOR crash (vote)
Target Milestone: ---
Assignee: David Faure
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2006-10-11 15:39 UTC by Josh Bressers
Modified: 2006-10-11 16:43 UTC (History)
1 user (show)

See Also:
Latest Commit:
Version Fixed In:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Josh Bressers 2006-10-11 15:39:29 UTC
Version:            (using KDE KDE 3.5.4)
Installed from:    Fedora RPMs
Compiler:          gcc-4.1.1-1.fc5 
OS:                Linux

A kmail crasher was posted to full-disclosure a few days ago:
http://marc.theaimsgroup.com/?t=116018206400001&r=1&w=2

That thread will eventually lead to this reproducer:
http://silenthack.co.uk/nnp/exploits/kmail/imgCrash

The HTML in that file

<html>
<IMG SRC=file:"" />
</html>

crashes (SIGABRT) both kmail and konqueror, which makes this issue look like a khtml problem.  I'm not able to properly debug this issue as I'm not familiar enough with the KDE internals to know why this is happening.
Comment 1 Maksim Orlovich 2006-10-11 16:30:11 UTC
(CC'ing security@ due to the posting, though I don't consider this to be worth such attention...)

KIO gets confused when passed a URL file://""

#2  0xb6791851 in abort () from /lib/i686/libc.so.6
#3  0xb75a5f9a in kDebugBackend (nLevel=3, nArea=7006,
    data=0x842be40 "FATAL: BUG! _ScheduleJob(): No extraJobData for job!\n")
    at /code/KDE/kde3/kdelibs/kdecore/kdebug.cpp:313
#4  0xb75a63c8 in kdbgstream::flush (this=0xbfdec024) at /code/KDE/kde3/kdelibs/kdecore/kdebug.cpp:336
#5  0xb7f46905 in endl () from /opt/kde3.4/lib/libkdeinit_konqueror.so
#6  0xb7e50f87 in kdbgstream::operator<< (this=0xbfdec024, f=0xb7f46860 <endl(kdbgstream&)>)
    at /code/KDE/kde3/kdelibs/kdecore/kdebug.h:260
#7  0xb7bb101a in KIO::Scheduler::_scheduleJob (this=0xbfdebfd8, job=0x842ae00)
    at /code/KDE/kde3/kdelibs/kio/kio/scheduler.cpp:223
#8  0xb7bd2856 in KIO::Scheduler::scheduleJob (job=0x842ae00) at /code/KDE/kde3/kdelibs/kio/kio/scheduler.h:139
#9  0xb6175de7 in khtml::Loader::servePendingRequests (this=0x82cc8c8) at /code/KDE/kde3/kdelibs/khtml/misc/loader.cpp:1149
#10 0xb617703b in khtml::Loader::qt_invoke (this=0x82cc8c8, _id=4, _o=0xbfdec1e0) at ../khtml/misc/loader.moc:262
#11 0xb706b5e7 in QObject::activate_signal (this=0x82cc930, clist=0x82cced8, o=0xbfdec1e0) at kernel/qobject.cpp:2392
#12 0xb706bb8c in QObject::activate_signal (this=0x82cc930, signal=2) at kernel/qobject.cpp:2361
#13 0xb72daf2f in QTimer::timeout () at ../include/qrect.h:248
#14 0xb70858fd in QTimer::event () at ../include/qstring.h:252
#15 0xb702b4bc in QApplication::internalNotify (this=0x0, receiver=0x82cc930, e=0xbfdec428) at kernel/qapplication.cpp:2635
#16 0xb702ba04 in QApplication::notify (this=0xbfdec6ec, receiver=0x82cc930, e=0xbfdec428) at kernel/qapplication.cpp:2523
#17 0xb759e529 in KApplication::notify (this=0xbfdec6ec, receiver=0x82cc930, event=0xbfdec428)
    at /code/KDE/kde3/kdelibs/kdecore/kapplication.cpp:550
#18 0xb701eceb in QEventLoop::activateTimers () at ../include/qrect.h:251
#19 0xb6fef996 in QEventLoop::processEvents (this=0x8084ed8, flags=4) at kernel/qeventloop_x11.cpp:389
#20 0xb7038590 in QEventLoop::enterLoop () at ../include/qshared.h:48
#21 0xb70384f5 in QEventLoop::exec () at ../include/qshared.h:48
#22 0xb70272e4 in QApplication::exec (this=0xbfdec6ec) at kernel/qapplication.cpp:2758
#23 0xb7f44e55 in kdemain () from /opt/kde3.4/lib/libkdeinit_konqueror.so
#24 0xb677d75c in __libc_start_main () from /lib/i686/libc.so.6
#25 0x08048641 in _start ()
Comment 2 David Faure 2006-10-11 16:43:09 UTC
SVN commit 594522 by dfaure:

Don't crash when creating a job for an invalid URL and then calling Scheduler::scheduleJob(job),
which aborts if Scheduler::doJob wasn't called. So let's call doJob in all cases, even if we know
right away that this is an error case.
BUG: 135456


 M  +9 -9      job.cpp  


--- branches/KDE/3.5/kdelibs/kio/kio/job.cpp #594521:594522
@@ -410,15 +410,6 @@
   : Job(showProgressInfo), m_slave(0), m_packedArgs(packedArgs),
     m_url(url), m_command(command), m_totalSize(0)
 {
-    if (!m_url.isValid())
-    {
-        m_error = ERR_MALFORMED_URL;
-        m_errorText = m_url.url();
-        QTimer::singleShot(0, this, SLOT(slotFinished()) );
-        return;
-    }
-
-
     if (m_url.hasSubURL())
     {
        KURL::List list = KURL::split(m_url);
@@ -430,6 +421,15 @@
     }
 
     Scheduler::doJob(this);
+
+    if (!m_url.isValid())
+    {
+        kdDebug() << "ERR_MALFORMED_URL" << endl;
+        m_error = ERR_MALFORMED_URL;
+        m_errorText = m_url.url();
+        QTimer::singleShot(0, this, SLOT(slotFinished()) );
+        return;
+    }
 }
 
 void SimpleJob::kill( bool quietly )