Version: (using Devel) Installed from: Compiled sources Compiler: gcc 4.1.2 20070925 (Red Hat 4.1.2-33) OS: Linux Navigate to tapioca.sourceforge.net and when attempting to load the page, Konqueror will crash. This is with r765967 from SVN trunk. Backtrace: Application: Konqueror (konqueror), signal SIGABRT Using host libthread_db library "/lib/libthread_db.so.1". [Thread debugging using libthread_db enabled] [New Thread -1208437040 (LWP 17704)] [KCrash handler] #6 0x00110402 in __kernel_vsyscall () #7 0x05933690 in raise () from /lib/libc.so.6 #8 0x05934f91 in abort () from /lib/libc.so.6 #9 0x05977885 in free_check () from /lib/libc.so.6 #10 0x05977095 in free () from /lib/libc.so.6 #11 0x04da16f1 in operator delete () from /usr/lib/libstdc++.so.6 #12 0x04da174d in operator delete[] () from /usr/lib/libstdc++.so.6 #13 0x01e45a73 in ~PNGLoader (this=0x9f9f6d8) at /home/matt/Projects/KDE/Source/trunk/KDE/kdelibs/khtml/imload/decoders/pngloader.cpp:229 #14 0x01e3fa1c in khtmlImLoad::Image::processEOF (this=0x9eb1250) at /home/matt/Projects/KDE/Source/trunk/KDE/kdelibs/khtml/imload/image.cpp:208 #15 0x01d48f80 in khtml::CachedImage::data (this=0x9ec6958, _buffer=@0x9ed20ac, eof=true) at /home/matt/Projects/KDE/Source/trunk/KDE/kdelibs/khtml/misc/loader.cpp:861 #16 0x01d47f3a in khtml::Loader::slotFinished (this=0x9e9ffd8, job=0x9ecafc0) at /home/matt/Projects/KDE/Source/trunk/KDE/kdelibs/khtml/misc/loader.cpp:1299 #17 0x01d4829c in khtml::Loader::qt_metacall (this=0x9e9ffd8, _c=QMetaObject::InvokeMetaMethod, _id=3, _a=0xbff93a2c) at /home/matt/Projects/KDE/Build/trunk/KDE/kdelibs/khtml/loader.moc:126 #18 0x00f2030e in QMetaObject::activate (sender=0x9ecafc0, from_signal_index=7, to_signal_index=7, argv=0xbff93a2c) at /home/matt/Projects/KDE/Source/trunk/qt-copy/src/corelib/kernel/qobject.cpp:3081 #19 0x00f2083f in QMetaObject::activate (sender=0x9ecafc0, m=0x7497a8, local_signal_index=3, argv=0xbff93a2c) at /home/matt/Projects/KDE/Source/trunk/qt-copy/src/corelib/kernel/qobject.cpp:3140 #20 0x006397fa in KJob::result (this=0x9ecafc0, _t1=0x9ecafc0) at /home/matt/Projects/KDE/Build/trunk/KDE/kdelibs/kdecore/kjob.moc:185 #21 0x00639d7a in KJob::emitResult (this=0x9ecafc0) at /home/matt/Projects/KDE/Source/trunk/KDE/kdelibs/kdecore/jobs/kjob.cpp:290 #22 0x003e15c1 in KIO::SimpleJob::slotFinished (this=0x9ecafc0) at /home/matt/Projects/KDE/Source/trunk/KDE/kdelibs/kio/kio/job.cpp:491 #23 0x003e199a in KIO::TransferJob::slotFinished (this=0x9ecafc0) at /home/matt/Projects/KDE/Source/trunk/KDE/kdelibs/kio/kio/job.cpp:961 #24 0x003e8983 in KIO::TransferJob::qt_metacall (this=0x9ecafc0, _c=QMetaObject::InvokeMetaMethod, _id=7, _a=0xbff94064) at /home/matt/Projects/KDE/Build/trunk/KDE/kdelibs/kio/jobclasses.moc:335 #25 0x00f2030e in QMetaObject::activate (sender=0x9eea1f0, from_signal_index=8, to_signal_index=8, argv=0x0) at /home/matt/Projects/KDE/Source/trunk/qt-copy/src/corelib/kernel/qobject.cpp:3081 #26 0x00f2083f in QMetaObject::activate (sender=0x9eea1f0, m=0x55dc24, local_signal_index=4, argv=0x0) at /home/matt/Projects/KDE/Source/trunk/qt-copy/src/corelib/kernel/qobject.cpp:3140 #27 0x0048c61d in KIO::SlaveInterface::finished (this=0x9eea1f0) at /home/matt/Projects/KDE/Build/trunk/KDE/kdelibs/kio/slaveinterface.moc:160 #28 0x0048e3d8 in KIO::SlaveInterface::dispatch (this=0x9eea1f0, _cmd=104, rawdata=@0xbff94264) at /home/matt/Projects/KDE/Source/trunk/KDE/kdelibs/kio/kio/slaveinterface.cpp:176 #29 0x0048f097 in KIO::SlaveInterface::dispatch (this=0x9eea1f0) at /home/matt/Projects/KDE/Source/trunk/KDE/kdelibs/kio/kio/slaveinterface.cpp:90 #30 0x00481496 in KIO::Slave::gotInput (this=0x9eea1f0) at /home/matt/Projects/KDE/Source/trunk/KDE/kdelibs/kio/kio/slave.cpp:319 #31 0x004828de in KIO::Slave::qt_metacall (this=0x9eea1f0, _c=QMetaObject::InvokeMetaMethod, _id=2, _a=0xbff94764) at /home/matt/Projects/KDE/Build/trunk/KDE/kdelibs/kio/slave.moc:74 #32 0x00f2030e in QMetaObject::activate (sender=0x9e6c658, from_signal_index=4, to_signal_index=4, argv=0x0) at /home/matt/Projects/KDE/Source/trunk/qt-copy/src/corelib/kernel/qobject.cpp:3081 #33 0x00f2083f in QMetaObject::activate (sender=0x9e6c658, m=0x55ab20, local_signal_index=0, argv=0x0) at /home/matt/Projects/KDE/Source/trunk/qt-copy/src/corelib/kernel/qobject.cpp:3140 #34 0x003b6cef in KIO::Connection::readyRead (this=0x9e6c658) at /home/matt/Projects/KDE/Build/trunk/KDE/kdelibs/kio/connection.moc:83 #35 0x003b7ccf in KIO::ConnectionPrivate::dequeue (this=0x9f0a398) at /home/matt/Projects/KDE/Source/trunk/KDE/kdelibs/kio/kio/connection.cpp:82 #36 0x003b8c09 in KIO::Connection::qt_metacall (this=0x9e6c658, _c=QMetaObject::InvokeMetaMethod, _id=1, _a=0x9ccd428) at /home/matt/Projects/KDE/Build/trunk/KDE/kdelibs/kio/connection.moc:71 #37 0x00f1b488 in QMetaCallEvent::placeMetaCall (this=0x9ed5060, object=0x9e6c658) at /home/matt/Projects/KDE/Source/trunk/qt-copy/src/corelib/kernel/qobject.cpp:536 #38 0x00f21365 in QObject::event (this=0x9e6c658, e=0x9ed5060) at /home/matt/Projects/KDE/Source/trunk/qt-copy/src/corelib/kernel/qobject.cpp:1122 #39 0x01101055 in QApplicationPrivate::notify_helper (this=0x9ba5210, receiver=0x9e6c658, e=0x9ed5060) at /home/matt/Projects/KDE/Source/trunk/qt-copy/src/gui/kernel/qapplication.cpp:3556 #40 0x0110136e in QApplication::notify (this=0xbff951e4, receiver=0x9e6c658, e=0x9ed5060) at /home/matt/Projects/KDE/Source/trunk/qt-copy/src/gui/kernel/qapplication.cpp:3115 #41 0x008f72c3 in KApplication::notify (this=0xbff951e4, receiver=0x9e6c658, event=0x9ed5060) at /home/matt/Projects/KDE/Source/trunk/KDE/kdelibs/kdeui/kernel/kapplication.cpp:314 #42 0x00f0c74e in QCoreApplication::notifyInternal (this=0xbff951e4, receiver=0x9e6c658, event=0x9ed5060) at /home/matt/Projects/KDE/Source/trunk/qt-copy/src/corelib/kernel/qcoreapplication.cpp:530 #43 0x00f1047d in QCoreApplication::sendEvent (receiver=0x9e6c658, event=0x9ed5060) at ../../include/QtCore/../../../../../Source/trunk/qt-copy/src/corelib/kernel/qcoreapplication.h:200 #44 0x00f0cc70 in QCoreApplicationPrivate::sendPostedEvents (receiver=0x0, event_type=0, data=0x9b98f50) at /home/matt/Projects/KDE/Source/trunk/qt-copy/src/corelib/kernel/qcoreapplication.cpp:1116 #45 0x00f0ce95 in QCoreApplication::sendPostedEvents (receiver=0x0, event_type=-1) at /home/matt/Projects/KDE/Source/trunk/qt-copy/src/corelib/kernel/qcoreapplication.cpp:1001 #46 0x00f3b234 in postEventSourceDispatch (s=0x9ba76e0) at /home/matt/Projects/KDE/Source/trunk/qt-copy/src/corelib/kernel/qeventdispatcher_glib.cpp:207 #47 0x0676a10c in g_main_context_dispatch () from /lib/libglib-2.0.so.0 #48 0x0676d54f in ?? () from /lib/libglib-2.0.so.0 #49 0x0676dab5 in g_main_context_iteration () from /lib/libglib-2.0.so.0 #50 0x00f3a798 in QEventDispatcherGlib::processEvents (this=0x9ba4950, flags=@0xbff94ff8) at /home/matt/Projects/KDE/Source/trunk/qt-copy/src/corelib/kernel/qeventdispatcher_glib.cpp:338 #51 0x011a9808 in QGuiEventDispatcherGlib::processEvents (this=0x9ba4950, flags=@0xbff95028) at /home/matt/Projects/KDE/Source/trunk/qt-copy/src/gui/kernel/qguieventdispatcher_glib.cpp:191 #52 0x00f09042 in QEventLoop::processEvents (this=0xbff950bc, flags=@0xbff95070) at /home/matt/Projects/KDE/Source/trunk/qt-copy/src/corelib/kernel/qeventloop.cpp:140 #53 0x00f091c5 in QEventLoop::exec (this=0xbff950bc, flags=@0xbff950c4) at /home/matt/Projects/KDE/Source/trunk/qt-copy/src/corelib/kernel/qeventloop.cpp:186 #54 0x00f0cfb6 in QCoreApplication::exec () at /home/matt/Projects/KDE/Source/trunk/qt-copy/src/corelib/kernel/qcoreapplication.cpp:759 #55 0x01100bbc in QApplication::exec () at /home/matt/Projects/KDE/Source/trunk/qt-copy/src/gui/kernel/qapplication.cpp:3053 #56 0x001ceef1 in kdemain (argc=2, argv=0xbff95584) at /home/matt/Projects/KDE/Source/trunk/KDE/kdebase/apps/konqueror/src/konqmain.cpp:218 #57 0x080487c6 in main (argc=) at /home/matt/Projects/KDE/Build/trunk/KDE/kdebase/apps/konqueror/src/konqueror_dummy.cpp:3 #0 0x00110402 in __kernel_vsyscall ()
I can reproduce this bug (kdebase rev765071). My normal Backtraces look like the one already posted, so I'll only attach a Valgrind output for this crash. (I hope it contains some useful information, as valgrind itself seems to have run into some troubles at the end...) ==6229== Memcheck, a memory error detector. ==6229== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al. ==6229== Using LibVEX rev 1732, a library for dynamic binary translation. ==6229== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP. ==6229== Using valgrind-3.2.3, a dynamic binary instrumentation framework. ==6229== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al. ==6229== For more details, rerun with: -v ==6229== ==6229== My PID = 6229, parent PID = 6045. Prog and args are: ==6229== konqueror ==6229== ==6229== Conditional jump or move depends on uninitialised value(s) ==6229== at 0x400A9B5: _dl_relocate_object (do-rel.h:65) ==6229== by 0x400454C: dl_main (rtld.c:2214) ==6229== by 0x4013C45: _dl_sysdep_start (dl-sysdep.c:239) ==6229== by 0x400124E: _dl_start (rtld.c:327) ==6229== by 0x40008A6: (within /lib/ld-2.6.1.so) ==6229== ==6229== Conditional jump or move depends on uninitialised value(s) ==6229== at 0x400A9BD: _dl_relocate_object (do-rel.h:68) ==6229== by 0x400454C: dl_main (rtld.c:2214) ==6229== by 0x4013C45: _dl_sysdep_start (dl-sysdep.c:239) ==6229== by 0x400124E: _dl_start (rtld.c:327) ==6229== by 0x40008A6: (within /lib/ld-2.6.1.so) ==6229== ==6229== Conditional jump or move depends on uninitialised value(s) ==6229== at 0x400B053: _dl_relocate_object (do-rel.h:104) ==6229== by 0x400454C: dl_main (rtld.c:2214) ==6229== by 0x4013C45: _dl_sysdep_start (dl-sysdep.c:239) ==6229== by 0x400124E: _dl_start (rtld.c:327) ==6229== by 0x40008A6: (within /lib/ld-2.6.1.so) ==6229== ==6229== Conditional jump or move depends on uninitialised value(s) ==6229== at 0x400AAF3: _dl_relocate_object (do-rel.h:117) ==6229== by 0x400454C: dl_main (rtld.c:2214) ==6229== by 0x4013C45: _dl_sysdep_start (dl-sysdep.c:239) ==6229== by 0x400124E: _dl_start (rtld.c:327) ==6229== by 0x40008A6: (within /lib/ld-2.6.1.so) ==6229== ==6229== Conditional jump or move depends on uninitialised value(s) ==6229== at 0x400A9B5: _dl_relocate_object (do-rel.h:65) ==6229== by 0x4004169: dl_main (rtld.c:2284) ==6229== by 0x4013C45: _dl_sysdep_start (dl-sysdep.c:239) ==6229== by 0x400124E: _dl_start (rtld.c:327) ==6229== by 0x40008A6: (within /lib/ld-2.6.1.so) ==6229== ==6229== Conditional jump or move depends on uninitialised value(s) ==6229== at 0x400A9BD: _dl_relocate_object (do-rel.h:68) ==6229== by 0x4004169: dl_main (rtld.c:2284) ==6229== by 0x4013C45: _dl_sysdep_start (dl-sysdep.c:239) ==6229== by 0x400124E: _dl_start (rtld.c:327) ==6229== by 0x40008A6: (within /lib/ld-2.6.1.so) ==6229== ==6229== Conditional jump or move depends on uninitialised value(s) ==6229== at 0x400AAF3: _dl_relocate_object (do-rel.h:117) ==6229== by 0x4004169: dl_main (rtld.c:2284) ==6229== by 0x4013C45: _dl_sysdep_start (dl-sysdep.c:239) ==6229== by 0x400124E: _dl_start (rtld.c:327) ==6229== by 0x40008A6: (within /lib/ld-2.6.1.so) ==6229== ==6229== Source and destination overlap in mempcpy(0x7AC32E0, 0x7AC32E0, 21) ==6229== at 0x4021E3A: (within /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so) ==6229== by 0x4022781: mempcpy (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so) ==6229== by 0x58E51D2: _IO_default_xsputn (genops.c:463) ==6229== by 0x58C021E: vfprintf (vfprintf.c:1568) ==6229== by 0x58D9CBA: vsprintf (iovsprintf.c:43) ==6229== by 0x58C5ADD: sprintf (sprintf.c:34) ==6229== by 0x4970942: parse_fontdata (omGeneric.c:618) ==6229== by 0x4970AE2: parse_vw (omGeneric.c:1095) ==6229== by 0x4971301: create_oc (omGeneric.c:1233) ==6229== by 0x4930C0A: XCreateOC (OCWrap.c:53) ==6229== by 0x49270A9: XCreateFontSet (FSWrap.c:185) ==6229== by 0x551969D: getFontSet(QFont const&) (qximinputcontext_x11.cpp:319) ==6229== ==6229== Conditional jump or move depends on uninitialised value(s) ==6229== at 0x4B68272: (within /lib/libz.so.1.2.3) ==6229== ==6229== Conditional jump or move depends on uninitialised value(s) ==6229== at 0x4B68212: (within /lib/libz.so.1.2.3) ==6229== ==6229== Invalid write of size 1 ==6229== at 0x40222A5: memcpy (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so) ==6229== by 0x59BA316: (within /usr/lib/libpng12.so.0.22.0) ==6229== by 0x59CA067: png_progressive_combine_row (in /usr/lib/libpng12.so.0.22.0) ==6229== by 0x91DBAA1: khtmlImLoad::PNGLoader::haveRow(unsigned, int, unsigned char*) (pngloader.cpp:196) ==6229== by 0x91DBB14: khtmlImLoad::PNGLoader::dispHaveRow(png_struct_def*, unsigned char*, unsigned long, int) (pngloader.cpp:71) ==6229== by 0x59C9FC9: (within /usr/lib/libpng12.so.0.22.0) ==6229== by 0x59CA72F: (within /usr/lib/libpng12.so.0.22.0) ==6229== by 0x59CABC6: (within /usr/lib/libpng12.so.0.22.0) ==6229== by 0x59CAD57: (within /usr/lib/libpng12.so.0.22.0) ==6229== by 0x59CBB52: (within /usr/lib/libpng12.so.0.22.0) ==6229== by 0x59CBBBA: png_process_data (in /usr/lib/libpng12.so.0.22.0) ==6229== by 0x91DB8FA: khtmlImLoad::PNGLoader::processData(unsigned char*, int) (pngloader.cpp:254) ==6229== Address 0x5C045E3 is not stack'd, malloc'd or (recently) free'd ==6229== ==6229== Invalid write of size 1 ==6229== at 0x40222AB: memcpy (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so) ==6229== by 0x59BA316: (within /usr/lib/libpng12.so.0.22.0) ==6229== by 0x59CA067: png_progressive_combine_row (in /usr/lib/libpng12.so.0.22.0) ==6229== by 0x91DBAA1: khtmlImLoad::PNGLoader::haveRow(unsigned, int, unsigned char*) (pngloader.cpp:196) ==6229== by 0x91DBB14: khtmlImLoad::PNGLoader::dispHaveRow(png_struct_def*, unsigned char*, unsigned long, int) (pngloader.cpp:71) ==6229== by 0x59C9FC9: (within /usr/lib/libpng12.so.0.22.0) ==6229== by 0x59CA72F: (within /usr/lib/libpng12.so.0.22.0) ==6229== by 0x59CABC6: (within /usr/lib/libpng12.so.0.22.0) ==6229== by 0x59CAD57: (within /usr/lib/libpng12.so.0.22.0) ==6229== by 0x59CBB52: (within /usr/lib/libpng12.so.0.22.0) ==6229== by 0x59CBBBA: png_process_data (in /usr/lib/libpng12.so.0.22.0) ==6229== by 0x91DB8FA: khtmlImLoad::PNGLoader::processData(unsigned char*, int) (pngloader.cpp:254) ==6229== Address 0x5C045E2 is not stack'd, malloc'd or (recently) free'd ==6229== ==6229== Invalid write of size 1 ==6229== at 0x40222B1: memcpy (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so) ==6229== by 0x59BA316: (within /usr/lib/libpng12.so.0.22.0) ==6229== by 0x59CA067: png_progressive_combine_row (in /usr/lib/libpng12.so.0.22.0) ==6229== by 0x91DBAA1: khtmlImLoad::PNGLoader::haveRow(unsigned, int, unsigned char*) (pngloader.cpp:196) ==6229== by 0x91DBB14: khtmlImLoad::PNGLoader::dispHaveRow(png_struct_def*, unsigned char*, unsigned long, int) (pngloader.cpp:71) ==6229== by 0x59C9FC9: (within /usr/lib/libpng12.so.0.22.0) ==6229== by 0x59CA72F: (within /usr/lib/libpng12.so.0.22.0) ==6229== by 0x59CABC6: (within /usr/lib/libpng12.so.0.22.0) ==6229== by 0x59CAD57: (within /usr/lib/libpng12.so.0.22.0) ==6229== by 0x59CBB52: (within /usr/lib/libpng12.so.0.22.0) ==6229== by 0x59CBBBA: png_process_data (in /usr/lib/libpng12.so.0.22.0) ==6229== by 0x91DB8FA: khtmlImLoad::PNGLoader::processData(unsigned char*, int) (pngloader.cpp:254) ==6229== Address 0x5C045E1 is not stack'd, malloc'd or (recently) free'd ==6229== ==6229== Invalid write of size 1 ==6229== at 0x40222B6: memcpy (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so) ==6229== by 0x59BA316: (within /usr/lib/libpng12.so.0.22.0) ==6229== by 0x59CA067: png_progressive_combine_row (in /usr/lib/libpng12.so.0.22.0) ==6229== by 0x91DBAA1: khtmlImLoad::PNGLoader::haveRow(unsigned, int, unsigned char*) (pngloader.cpp:196) ==6229== by 0x91DBB14: khtmlImLoad::PNGLoader::dispHaveRow(png_struct_def*, unsigned char*, unsigned long, int) (pngloader.cpp:71) ==6229== by 0x59C9FC9: (within /usr/lib/libpng12.so.0.22.0) ==6229== by 0x59CA72F: (within /usr/lib/libpng12.so.0.22.0) ==6229== by 0x59CABC6: (within /usr/lib/libpng12.so.0.22.0) ==6229== by 0x59CAD57: (within /usr/lib/libpng12.so.0.22.0) ==6229== by 0x59CBB52: (within /usr/lib/libpng12.so.0.22.0) ==6229== by 0x59CBBBA: png_process_data (in /usr/lib/libpng12.so.0.22.0) ==6229== by 0x91DB8FA: khtmlImLoad::PNGLoader::processData(unsigned char*, int) (pngloader.cpp:254) ==6229== Address 0x5C045E0 is not stack'd, malloc'd or (recently) free'd ==6229== ==6229== Invalid write of size 1 ==6229== at 0x40222DE: memcpy (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so) ==6229== by 0x59BA595: (within /usr/lib/libpng12.so.0.22.0) ==6229== by 0x59CA067: png_progressive_combine_row (in /usr/lib/libpng12.so.0.22.0) ==6229== by 0x91DBAA1: khtmlImLoad::PNGLoader::haveRow(unsigned, int, unsigned char*) (pngloader.cpp:196) ==6229== by 0x91DBB14: khtmlImLoad::PNGLoader::dispHaveRow(png_struct_def*, unsigned char*, unsigned long, int) (pngloader.cpp:71) ==6229== by 0x59C9FC9: (within /usr/lib/libpng12.so.0.22.0) ==6229== by 0x59CA7EB: (within /usr/lib/libpng12.so.0.22.0) ==6229== by 0x59CABC6: (within /usr/lib/libpng12.so.0.22.0) ==6229== by 0x59CAD57: (within /usr/lib/libpng12.so.0.22.0) ==6229== by 0x59CBB52: (within /usr/lib/libpng12.so.0.22.0) ==6229== by 0x59CBBBA: png_process_data (in /usr/lib/libpng12.so.0.22.0) ==6229== by 0x91DB8FA: khtmlImLoad::PNGLoader::processData(unsigned char*, int) (pngloader.cpp:254) ==6229== Address 0x5C045CB is 1 bytes after a block of size 26 alloc'd ==6229== at 0x402171D: operator new[](unsigned) (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so) ==6229== by 0x91DBCDE: khtmlImLoad::PNGLoader::haveInfo() (pngloader.cpp:176) ==6229== by 0x91DBD7F: khtmlImLoad::PNGLoader::dispHaveInfo(png_struct_def*, png_info_struct*) (pngloader.cpp:66) ==6229== by 0x59C9F7D: (within /usr/lib/libpng12.so.0.22.0) ==6229== by 0x59CB641: (within /usr/lib/libpng12.so.0.22.0) ==6229== by 0x59CBB44: (within /usr/lib/libpng12.so.0.22.0) ==6229== by 0x59CBBBA: png_process_data (in /usr/lib/libpng12.so.0.22.0) ==6229== by 0x91DB8FA: khtmlImLoad::PNGLoader::processData(unsigned char*, int) (pngloader.cpp:254) ==6229== by 0x91D6FCF: khtmlImLoad::Image::processData(unsigned char*, int) (image.cpp:150) ==6229== by 0x90FF89A: khtml::CachedImage::data(QBuffer&, bool) (loader.cpp:856) ==6229== by 0x90FD200: khtml::Loader::slotData(KIO::Job*, QByteArray const&) (loader.cpp:1360) ==6229== by 0x90FF090: khtml::Loader::qt_metacall(QMetaObject::Call, int, void**) (loader.moc:127) ==6229== ==6229== Invalid write of size 1 ==6229== at 0x40222FF: memcpy (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so) ==6229== by 0x59BA316: (within /usr/lib/libpng12.so.0.22.0) ==6229== by 0x59CA067: png_progressive_combine_row (in /usr/lib/libpng12.so.0.22.0) ==6229== by 0x91DBAA1: khtmlImLoad::PNGLoader::haveRow(unsigned, int, unsigned char*) (pngloader.cpp:196) ==6229== by 0x91DBB14: khtmlImLoad::PNGLoader::dispHaveRow(png_struct_def*, unsigned char*, unsigned long, int) (pngloader.cpp:71) ==6229== by 0x59C9FC9: (within /usr/lib/libpng12.so.0.22.0) ==6229== by 0x59CA72F: (within /usr/lib/libpng12.so.0.22.0) ==6229== by 0x59CABC6: (within /usr/lib/libpng12.so.0.22.0) ==6229== by 0x59CAD57: (within /usr/lib/libpng12.so.0.22.0) ==6229== by 0x59CBB52: (within /usr/lib/libpng12.so.0.22.0) ==6229== by 0x59CBBBA: png_process_data (in /usr/lib/libpng12.so.0.22.0) ==6229== by 0x91DB8FA: khtmlImLoad::PNGLoader::processData(unsigned char*, int) (pngloader.cpp:254) ==6229== Address 0x5E09B89 is 0 bytes after a block of size 81 alloc'd ==6229== at 0x402171D: operator new[](unsigned) (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so) ==6229== by 0x91DBCDE: khtmlImLoad::PNGLoader::haveInfo() (pngloader.cpp:176) ==6229== by 0x91DBD7F: khtmlImLoad::PNGLoader::dispHaveInfo(png_struct_def*, png_info_struct*) (pngloader.cpp:66) ==6229== by 0x59C9F7D: (within /usr/lib/libpng12.so.0.22.0) ==6229== by 0x59CB641: (within /usr/lib/libpng12.so.0.22.0) ==6229== by 0x59CBB44: (within /usr/lib/libpng12.so.0.22.0) ==6229== by 0x59CBBBA: png_process_data (in /usr/lib/libpng12.so.0.22.0) ==6229== by 0x91DB8FA: khtmlImLoad::PNGLoader::processData(unsigned char*, int) (pngloader.cpp:254) ==6229== by 0x91D6FCF: khtmlImLoad::Image::processData(unsigned char*, int) (image.cpp:150) ==6229== by 0x90FF89A: khtml::CachedImage::data(QBuffer&, bool) (loader.cpp:856) ==6229== by 0x90FD200: khtml::Loader::slotData(KIO::Job*, QByteArray const&) (loader.cpp:1360) ==6229== by 0x90FF090: khtml::Loader::qt_metacall(QMetaObject::Call, int, void**) (loader.moc:127) ==6229== ==6229== Invalid write of size 1 ==6229== at 0x4022305: memcpy (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so) ==6229== by 0x59BA316: (within /usr/lib/libpng12.so.0.22.0) ==6229== by 0x59CA067: png_progressive_combine_row (in /usr/lib/libpng12.so.0.22.0) ==6229== by 0x91DBAA1: khtmlImLoad::PNGLoader::haveRow(unsigned, int, unsigned char*) (pngloader.cpp:196) ==6229== by 0x91DBB14: khtmlImLoad::PNGLoader::dispHaveRow(png_struct_def*, unsigned char*, unsigned long, int) (pngloader.cpp:71) ==6229== by 0x59C9FC9: (within /usr/lib/libpng12.so.0.22.0) ==6229== by 0x59CA72F: (within /usr/lib/libpng12.so.0.22.0) ==6229== by 0x59CABC6: (within /usr/lib/libpng12.so.0.22.0) ==6229== by 0x59CAD57: (within /usr/lib/libpng12.so.0.22.0) ==6229== by 0x59CBB52: (within /usr/lib/libpng12.so.0.22.0) ==6229== by 0x59CBBBA: png_process_data (in /usr/lib/libpng12.so.0.22.0) ==6229== by 0x91DB8FA: khtmlImLoad::PNGLoader::processData(unsigned char*, int) (pngloader.cpp:254) ==6229== Address 0x5E09B8A is 1 bytes after a block of size 81 alloc'd ==6229== at 0x402171D: operator new[](unsigned) (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so) ==6229== by 0x91DBCDE: khtmlImLoad::PNGLoader::haveInfo() (pngloader.cpp:176) ==6229== by 0x91DBD7F: khtmlImLoad::PNGLoader::dispHaveInfo(png_struct_def*, png_info_struct*) (pngloader.cpp:66) ==6229== by 0x59C9F7D: (within /usr/lib/libpng12.so.0.22.0) ==6229== by 0x59CB641: (within /usr/lib/libpng12.so.0.22.0) ==6229== by 0x59CBB44: (within /usr/lib/libpng12.so.0.22.0) ==6229== by 0x59CBBBA: png_process_data (in /usr/lib/libpng12.so.0.22.0) ==6229== by 0x91DB8FA: khtmlImLoad::PNGLoader::processData(unsigned char*, int) (pngloader.cpp:254) ==6229== by 0x91D6FCF: khtmlImLoad::Image::processData(unsigned char*, int) (image.cpp:150) ==6229== by 0x90FF89A: khtml::CachedImage::data(QBuffer&, bool) (loader.cpp:856) ==6229== by 0x90FD200: khtml::Loader::slotData(KIO::Job*, QByteArray const&) (loader.cpp:1360) ==6229== by 0x90FF090: khtml::Loader::qt_metacall(QMetaObject::Call, int, void**) (loader.moc:127) ==6229== ==6229== Invalid write of size 1 ==6229== at 0x402230E: memcpy (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so) ==6229== by 0x59BA316: (within /usr/lib/libpng12.so.0.22.0) ==6229== by 0x59CA067: png_progressive_combine_row (in /usr/lib/libpng12.so.0.22.0) ==6229== by 0x91DBAA1: khtmlImLoad::PNGLoader::haveRow(unsigned, int, unsigned char*) (pngloader.cpp:196) ==6229== by 0x91DBB14: khtmlImLoad::PNGLoader::dispHaveRow(png_struct_def*, unsigned char*, unsigned long, int) (pngloader.cpp:71) ==6229== by 0x59C9FC9: (within /usr/lib/libpng12.so.0.22.0) ==6229== by 0x59CA72F: (within /usr/lib/libpng12.so.0.22.0) ==6229== by 0x59CABC6: (within /usr/lib/libpng12.so.0.22.0) ==6229== by 0x59CAD57: (within /usr/lib/libpng12.so.0.22.0) ==6229== by 0x59CBB52: (within /usr/lib/libpng12.so.0.22.0) ==6229== by 0x59CBBBA: png_process_data (in /usr/lib/libpng12.so.0.22.0) ==6229== by 0x91DB8FA: khtmlImLoad::PNGLoader::processData(unsigned char*, int) (pngloader.cpp:254) ==6229== Address 0x5E09B8B is 2 bytes after a block of size 81 alloc'd ==6229== at 0x402171D: operator new[](unsigned) (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so) ==6229== by 0x91DBCDE: khtmlImLoad::PNGLoader::haveInfo() (pngloader.cpp:176) ==6229== by 0x91DBD7F: khtmlImLoad::PNGLoader::dispHaveInfo(png_struct_def*, png_info_struct*) (pngloader.cpp:66) ==6229== by 0x59C9F7D: (within /usr/lib/libpng12.so.0.22.0) ==6229== by 0x59CB641: (within /usr/lib/libpng12.so.0.22.0) ==6229== by 0x59CBB44: (within /usr/lib/libpng12.so.0.22.0) ==6229== by 0x59CBBBA: png_process_data (in /usr/lib/libpng12.so.0.22.0) ==6229== by 0x91DB8FA: khtmlImLoad::PNGLoader::processData(unsigned char*, int) (pngloader.cpp:254) ==6229== by 0x91D6FCF: khtmlImLoad::Image::processData(unsigned char*, int) (image.cpp:150) ==6229== by 0x90FF89A: khtml::CachedImage::data(QBuffer&, bool) (loader.cpp:856) ==6229== by 0x90FD200: khtml::Loader::slotData(KIO::Job*, QByteArray const&) (loader.cpp:1360) ==6229== by 0x90FF090: khtml::Loader::qt_metacall(QMetaObject::Call, int, void**) (loader.moc:127) ==6229== ==6229== Invalid write of size 1 ==6229== at 0x40222FA: memcpy (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so) ==6229== by 0x59BA316: (within /usr/lib/libpng12.so.0.22.0) ==6229== by 0x59CA067: png_progressive_combine_row (in /usr/lib/libpng12.so.0.22.0) ==6229== by 0x91DBAA1: khtmlImLoad::PNGLoader::haveRow(unsigned, int, unsigned char*) (pngloader.cpp:196) ==6229== by 0x91DBB14: khtmlImLoad::PNGLoader::dispHaveRow(png_struct_def*, unsigned char*, unsigned long, int) (pngloader.cpp:71) ==6229== by 0x59C9FC9: (within /usr/lib/libpng12.so.0.22.0) ==6229== by 0x59CA72F: (within /usr/lib/libpng12.so.0.22.0) ==6229== by 0x59CABC6: (within /usr/lib/libpng12.so.0.22.0) ==6229== by 0x59CAD57: (within /usr/lib/libpng12.so.0.22.0) ==6229== by 0x59CBB52: (within /usr/lib/libpng12.so.0.22.0) ==6229== by 0x59CBBBA: png_process_data (in /usr/lib/libpng12.so.0.22.0) ==6229== by 0x91DB8FA: khtmlImLoad::PNGLoader::processData(unsigned char*, int) (pngloader.cpp:254) ==6229== Address 0x5E09B8C is 3 bytes after a block of size 81 alloc'd ==6229== at 0x402171D: operator new[](unsigned) (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so) ==6229== by 0x91DBCDE: khtmlImLoad::PNGLoader::haveInfo() (pngloader.cpp:176) ==6229== by 0x91DBD7F: khtmlImLoad::PNGLoader::dispHaveInfo(png_struct_def*, png_info_struct*) (pngloader.cpp:66) ==6229== by 0x59C9F7D: (within /usr/lib/libpng12.so.0.22.0) ==6229== by 0x59CB641: (within /usr/lib/libpng12.so.0.22.0) ==6229== by 0x59CBB44: (within /usr/lib/libpng12.so.0.22.0) ==6229== by 0x59CBBBA: png_process_data (in /usr/lib/libpng12.so.0.22.0) ==6229== by 0x91DB8FA: khtmlImLoad::PNGLoader::processData(unsigned char*, int) (pngloader.cpp:254) ==6229== by 0x91D6FCF: khtmlImLoad::Image::processData(unsigned char*, int) (image.cpp:150) ==6229== by 0x90FF89A: khtml::CachedImage::data(QBuffer&, bool) (loader.cpp:856) ==6229== by 0x90FD200: khtml::Loader::slotData(KIO::Job*, QByteArray const&) (loader.cpp:1360) ==6229== by 0x90FF090: khtml::Loader::qt_metacall(QMetaObject::Call, int, void**) (loader.moc:127) ==6229== ==6229== Invalid write of size 1 ==6229== at 0x402231E: memcpy (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so) ==6229== by 0x59BA595: (within /usr/lib/libpng12.so.0.22.0) ==6229== by 0x59CA067: png_progressive_combine_row (in /usr/lib/libpng12.so.0.22.0) ==6229== by 0x91DBAA1: khtmlImLoad::PNGLoader::haveRow(unsigned, int, unsigned char*) (pngloader.cpp:196) ==6229== by 0x91DBB14: khtmlImLoad::PNGLoader::dispHaveRow(png_struct_def*, unsigned char*, unsigned long, int) (pngloader.cpp:71) ==6229== by 0x59C9FC9: (within /usr/lib/libpng12.so.0.22.0) ==6229== by 0x59CA7EB: (within /usr/lib/libpng12.so.0.22.0) ==6229== by 0x59CABC6: (within /usr/lib/libpng12.so.0.22.0) ==6229== by 0x59CAD57: (within /usr/lib/libpng12.so.0.22.0) ==6229== by 0x59CBB52: (within /usr/lib/libpng12.so.0.22.0) ==6229== by 0x59CBBBA: png_process_data (in /usr/lib/libpng12.so.0.22.0) ==6229== by 0x91DB8FA: khtmlImLoad::PNGLoader::processData(unsigned char*, int) (pngloader.cpp:254) ==6229== Address 0x5E09B90 is 7 bytes after a block of size 81 alloc'd ==6229== at 0x402171D: operator new[](unsigned) (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so) ==6229== by 0x91DBCDE: khtmlImLoad::PNGLoader::haveInfo() (pngloader.cpp:176) ==6229== by 0x91DBD7F: khtmlImLoad::PNGLoader::dispHaveInfo(png_struct_def*, png_info_struct*) (pngloader.cpp:66) ==6229== by 0x59C9F7D: (within /usr/lib/libpng12.so.0.22.0) ==6229== by 0x59CB641: (within /usr/lib/libpng12.so.0.22.0) ==6229== by 0x59CBB44: (within /usr/lib/libpng12.so.0.22.0) ==6229== by 0x59CBBBA: png_process_data (in /usr/lib/libpng12.so.0.22.0) ==6229== by 0x91DB8FA: khtmlImLoad::PNGLoader::processData(unsigned char*, int) (pngloader.cpp:254) ==6229== by 0x91D6FCF: khtmlImLoad::Image::processData(unsigned char*, int) (image.cpp:150) ==6229== by 0x90FF89A: khtml::CachedImage::data(QBuffer&, bool) (loader.cpp:856) ==6229== by 0x90FD200: khtml::Loader::slotData(KIO::Job*, QByteArray const&) (loader.cpp:1360) ==6229== by 0x90FF090: khtml::Loader::qt_metacall(QMetaObject::Call, int, void**) (loader.moc:127) valgrind: m_mallocfree.c:194 (get_bszB_as_is): Assertion 'bszB_lo == bszB_hi' failed. valgrind: Heap block lo/hi size mismatch: lo = 136, hi = 4285529967. Probably caused by overrunning/underrunning a heap block's bounds. ==6229== at 0x38010D37: (within /usr/lib/valgrind/x86-linux/memcheck) ==6229== by 0x38010F49: (within /usr/lib/valgrind/x86-linux/memcheck) ==6229== by 0x38016AE6: (within /usr/lib/valgrind/x86-linux/memcheck) ==6229== by 0x38016B2A: (within /usr/lib/valgrind/x86-linux/memcheck) ==6229== by 0x3801720D: (within /usr/lib/valgrind/x86-linux/memcheck) ==6229== by 0x38027975: (within /usr/lib/valgrind/x86-linux/memcheck) ==6229== by 0x38001340: (within /usr/lib/valgrind/x86-linux/memcheck) ==6229== by 0x380015ED: (within /usr/lib/valgrind/x86-linux/memcheck) ==6229== by 0x38027E3C: (within /usr/lib/valgrind/x86-linux/memcheck) ==6229== by 0x38029093: (within /usr/lib/valgrind/x86-linux/memcheck) ==6229== by 0x38040938: (within /usr/lib/valgrind/x86-linux/memcheck) sched status: running_tid=1 Thread 1: status = VgTs_Runnable ==6229== at 0x4020FE6: free (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so) ==6229== by 0x59C9960: png_free_default (in /usr/lib/libpng12.so.0.22.0) ==6229== by 0x59C99A4: png_free (in /usr/lib/libpng12.so.0.22.0) ==6229== by 0x59B7017: (within /usr/lib/libpng12.so.0.22.0) ==6229== by 0x4B6BC16: inflateEnd (in /lib/libz.so.1.2.3) ==6229== by 0x59C09E1: png_destroy_read_struct (in /usr/lib/libpng12.so.0.22.0) ==6229== by 0x91DB95E: khtmlImLoad::PNGLoader::~PNGLoader() (pngloader.cpp:231) ==6229== by 0x91D6364: khtmlImLoad::Image::processEOF() (image.cpp:208) ==6229== by 0x90FF8B3: khtml::CachedImage::data(QBuffer&, bool) (loader.cpp:861) ==6229== by 0x90FED88: khtml::Loader::slotFinished(KJob*) (loader.cpp:1299) ==6229== by 0x90FF070: khtml::Loader::qt_metacall(QMetaObject::Call, int, void**) (loader.moc:126) ==6229== by 0x4D0E1F3: QMetaObject::activate(QObject*, int, int, void**) (qobject.cpp:3081) ==6229== by 0x4D0ED93: QMetaObject::activate(QObject*, QMetaObject const*, int, void**) (qobject.cpp:3140) ==6229== by 0x4467E33: KJob::result(KJob*) (kjob.moc:185) ==6229== by 0x4468371: KJob::emitResult() (kjob.cpp:290) ==6229== by 0x4217567: KIO::SimpleJob::slotFinished() (job.cpp:491) ==6229== by 0x4217919: KIO::TransferJob::slotFinished() (job.cpp:961) ==6229== by 0x421E4B2: KIO::TransferJob::qt_metacall(QMetaObject::Call, int, void**) (jobclasses.moc:335) ==6229== by 0x4D0E1F3: QMetaObject::activate(QObject*, int, int, void**) (qobject.cpp:3081) ==6229== by 0x4D0ED93: QMetaObject::activate(QObject*, QMetaObject const*, int, void**) (qobject.cpp:3140) ==6229== by 0x42BF745: KIO::SlaveInterface::finished() (slaveinterface.moc:160) ==6229== by 0x42C1309: KIO::SlaveInterface::dispatch(int, QByteArray const&) (slaveinterface.cpp:176) ==6229== by 0x42C1F65: KIO::SlaveInterface::dispatch() (slaveinterface.cpp:90) ==6229== by 0x42B4636: KIO::Slave::gotInput() (slave.cpp:318) ==6229== by 0x42B5B8C: KIO::Slave::qt_metacall(QMetaObject::Call, int, void**) (slave.moc:74) ==6229== by 0x4D0E1F3: QMetaObject::activate(QObject*, int, int, void**) (qobject.cpp:3081) ==6229== by 0x4D0ED93: QMetaObject::activate(QObject*, QMetaObject const*, int, void**) (qobject.cpp:3140) ==6229== by 0x41EF952: KIO::Connection::readyRead() (connection.moc:83) ==6229== by 0x41F07D5: KIO::ConnectionPrivate::dequeue() (connection.cpp:82) ==6229== by 0x41F1584: KIO::Connection::qt_metacall(QMetaObject::Call, int, void**) (connection.moc:71) ==6229== by 0x4D092F8: QMetaCallEvent::placeMetaCall(QObject*) (qobject.cpp:536) ==6229== by 0x4D0C016: QObject::event(QEvent*) (qobject.cpp:1122) ==6229== by 0x4FA8E89: QApplicationPrivate::notify_helper(QObject*, QEvent*) (qapplication.cpp:3556) ==6229== by 0x4FAA779: QApplication::notify(QObject*, QEvent*) (qapplication.cpp:3115) ==6229== by 0x4714082: KApplication::notify(QObject*, QEvent*) (kapplication.cpp:314) ==6229== by 0x4CFAD7A: QCoreApplication::notifyInternal(QObject*, QEvent*) (qcoreapplication.cpp:530) ==6229== by 0x4CFC219: QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) (qcoreapplication.h:200) ==6229== by 0x4CFC56C: QCoreApplication::sendPostedEvents(QObject*, int) (qcoreapplication.cpp:1001) ==6229== by 0x5032AED: QEventDispatcherX11::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qcoreapplication.h:205) ==6229== by 0x4CFA190: QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qeventloop.cpp:140) ==6229== by 0x4CFA299: QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (qeventloop.cpp:186) ==6229== by 0x4CFC625: QCoreApplication::exec() (qcoreapplication.cpp:759) ==6229== by 0x4FA8486: QApplication::exec() (qapplication.cpp:3053) ==6229== by 0x40CE3BE: kdemain (konqmain.cpp:218) ==6229== by 0x80487E1: main (konqueror_dummy.cpp:3) Note: see also the FAQ.txt in the source distribution. It contains workarounds to several common problems. If that doesn't help, please report this bug to: www.valgrind.org In the bug report, send all the above text, the valgrind version, and what Linux distro you are using. Thanks.
Ugh. Somehow libPNG tells us that an image is 8-bit per channel, while it is 16-bits per channel !?
Created attachment 23278 [details] Fix Ugh. My mess up. The code was losing track of itself adding an alpha channel to gray scale PNG with tRNS chunk
Thanks. Will test over the weekend and report back.
*** Bug 157115 has been marked as a duplicate of this bug. ***
*** Bug 157957 has been marked as a duplicate of this bug. ***
Here's another page that crashes with a similar stack trace: http://www.openimscore.org/docs/ser_ims/index.html This is with Debian, konqueror 4:4.0.1-1.
*** Bug 159486 has been marked as a duplicate of this bug. ***
Patch fixes pngloader related crashes for me. Tested sites under VG: http://www.openimscore.org/docs/ser_ims/index.html http://tapioca.sf.net and http://www.cybertiggyr.com/gene/dfx
*** Bug 159792 has been marked as a duplicate of this bug. ***
*** Bug 160609 has been marked as a duplicate of this bug. ***
*** Bug 160967 has been marked as a duplicate of this bug. ***
SVN commit 801224 by mueller: fix buffer overflow (CVE-2008-1670) CCBUG: 156623 M +3 -0 pngloader.cpp WebSVN link: http://websvn.kde.org/?view=rev&revision=801224
SVN commit 801225 by mueller: fix CVE-2008-1670 BUG: 156623 M +3 -0 pngloader.cpp WebSVN link: http://websvn.kde.org/?view=rev&revision=801225