Bug 349526 - Okular crashes opening CHM-file
Summary: Okular crashes opening CHM-file
Status: CONFIRMED
Alias: None
Product: okular
Classification: Applications
Component: general (show other bugs)
Version: 0.21.3
Platform: Fedora RPMs Linux
: NOR crash
Target Milestone: ---
Assignee: Okular developers
URL:
Keywords: drkonqi
Depends on:
Blocks:
 
Reported: 2015-06-23 11:37 UTC by Peter Gsellmann
Modified: 2020-12-03 21:29 UTC (History)
4 users (show)

See Also:
Latest Commit:
Version Fixed In:

Attachments
ASAN trace (qt5-base 5.11.1, khtml 5.49.0, okular v18.08.0-21-g6a3705535) (12.14 KB, text/plain)
2018-08-28 15:16 UTC, Peter Wu 		Details
Minimal khtml reproducer (main.cpp) (902 bytes, text/x-c++src)
2018-08-28 17:28 UTC, Peter Wu 		Details
View All Add an attachment

Note You need to log in before you can comment on or make changes to this bug.
Description Peter Gsellmann 2015-06-23 11:37:57 UTC 
Application: okular (0.21.3)
KDE Platform Version: 4.14.7
Qt Version: 4.8.6
Operating System: Linux 3.19.8-100.fc20.x86_64 x86_64
Distribution: "Fedora release 20 (Heisenbug)"

-- Information about the crash:
- What I was doing when the application crashed:

After clicking on the file MyDAC.chm, Okular shows an empty window for some seconds and then crashes.
The same file opens without problems in a virtual machine with W7
Other chm-files from the same VM show no problems at open.

Unfortunately, i cannot append the involved file because it is from a commercial software package i am not allowed to redistribute.
However, a limited runtime demo is downloadable at https://www.devart.com/mydac/ where i hope this file is included

The crash can be reproduced every time.

-- Backtrace:
Application: Okular (okular), signal: Segmentation fault
Using host libthread_db library "/lib64/libthread_db.so.1".
81	T_PSEUDO (SYSCALL_SYMBOL, SYSCALL_NAME, SYSCALL_NARGS)
[KCrash Handler]
#6  0x0000003262a1b1c9 in QWidgetPrivate::prepareToRender (this=this@entry=0x3d578f0, region=..., renderFlags=...) at kernel/qwidget.cpp:5409
#7  0x0000003262a1c225 in QWidgetPrivate::render (this=0x3d578f0, target=target@entry=0x3aec620, targetOffset=..., sourceRegion=..., renderFlags=..., readyToRender=readyToRender@entry=false) at kernel/qwidget.cpp:5668
#8  0x0000003262a1c649 in QWidget::render (this=this@entry=0x2579fb0, target=target@entry=0x3aec620, targetOffset=..., sourceRegion=..., renderFlags=...) at kernel/qwidget.cpp:5184
#9  0x0000003dbcb97a6a in copyWidget (r=..., p=p@entry=0x7ffe046871e0, widget=widget@entry=0x2579fb0, tx=tx@entry=0, ty=ty@entry=802, buffer=0x3aec620, buffered=true) at /usr/src/debug/kdelibs-4.14.7/khtml/rendering/render_replaced.cpp:719
#10 0x0000003dbcb97fc2 in khtml::RenderWidget::paintWidget (pI=..., widget=0x2579fb0, tx=0, ty=802, buffer=buffer@entry=0x2cf0dd8) at /usr/src/debug/kdelibs-4.14.7/khtml/rendering/render_replaced.cpp:788
#11 0x0000003dbcb7c196 in khtml::RenderLayer::paintScrollbars (this=this@entry=0x2cf0d78, pI=...) at /usr/src/debug/kdelibs-4.14.7/khtml/rendering/render_layer.cpp:1003
#12 0x0000003dbcb81131 in khtml::RenderLayer::paintLayer (this=0x2cf0d78, rootLayer=rootLayer@entry=0x2cf0090, p=0x7ffe046871e0, paintDirtyRect=..., selectionOnly=selectionOnly@entry=false) at /usr/src/debug/kdelibs-4.14.7/khtml/rendering/render_layer.cpp:1094
#13 0x0000003dbcb80ed0 in khtml::RenderLayer::paintLayer (this=0x2cf0210, rootLayer=rootLayer@entry=0x2cf0090, p=0x7ffe046871e0, paintDirtyRect=..., selectionOnly=selectionOnly@entry=false) at /usr/src/debug/kdelibs-4.14.7/khtml/rendering/render_layer.cpp:1146
#14 0x0000003dbcb80f57 in khtml::RenderLayer::paintLayer (this=0x2cf0090, rootLayer=0x2cf0090, p=0x7ffe046871e0, paintDirtyRect=..., selectionOnly=<optimized out>) at /usr/src/debug/kdelibs-4.14.7/khtml/rendering/render_layer.cpp:1152
#15 0x0000003dbca085a8 in KHTMLView::paint (this=0x2a188f0, p=p@entry=0x7ffe046871e0, rc=..., yOff=yOff@entry=0, more=more@entry=0x7ffe046871cf) at /usr/src/debug/kdelibs-4.14.7/khtml/khtmlview.cpp:3262
#16 0x0000003dbca1f132 in KHTMLPart::paint (this=<optimized out>, p=p@entry=0x7ffe046871e0, rc=..., yOff=yOff@entry=0, more=more@entry=0x7ffe046871cf) at /usr/src/debug/kdelibs-4.14.7/khtml/khtml_part.cpp:2197
#17 0x00007f8d5e819986 in CHMGenerator::slotCompleted (this=0x279f8f0) at /usr/src/debug/okular-14.12.3/generators/chm/generator_chm.cpp:208
#18 0x000000326239b42a in QMetaObject::activate (sender=0x29e2520, m=<optimized out>, local_signal_index=<optimized out>, argv=0x0) at kernel/qobject.cpp:3567
#19 0x0000003dbca0e883 in KHTMLView::timerEvent (this=0x2a188f0, e=<optimized out>) at /usr/src/debug/kdelibs-4.14.7/khtml/khtmlview.cpp:4075
#20 0x000000326239f7e1 in QObject::event (this=this@entry=0x2a188f0, e=e@entry=0x7ffe04687ae0) at kernel/qobject.cpp:1184
#21 0x0000003262a1dd53 in QWidget::event (this=this@entry=0x2a188f0, event=event@entry=0x7ffe04687ae0) at kernel/qwidget.cpp:8859
#22 0x0000003262dd4aae in QFrame::event (this=this@entry=0x2a188f0, e=e@entry=0x7ffe04687ae0) at widgets/qframe.cpp:557
#23 0x0000003262e57eb3 in QAbstractScrollArea::event (this=0x2a188f0, e=0x7ffe04687ae0) at widgets/qabstractscrollarea.cpp:996
#24 0x0000003dbca0fbbf in KHTMLView::event (this=0x2a188f0, e=0x7ffe04687ae0) at /usr/src/debug/kdelibs-4.14.7/khtml/khtmlview.cpp:544
#25 0x00000032629cae6c in QApplicationPrivate::notify_helper (this=this@entry=0x20c5d20, receiver=receiver@entry=0x2a188f0, e=e@entry=0x7ffe04687ae0) at kernel/qapplication.cpp:4565
#26 0x00000032629d17c5 in QApplication::notify (this=this@entry=0x7ffe04687e00, receiver=receiver@entry=0x2a188f0, e=e@entry=0x7ffe04687ae0) at kernel/qapplication.cpp:4351
#27 0x0000003da884a6ea in KApplication::notify (this=0x7ffe04687e00, receiver=0x2a188f0, event=0x7ffe04687ae0) at /usr/src/debug/kdelibs-4.14.7/kdeui/kernel/kapplication.cpp:311
#28 0x00000032623869ad in QCoreApplication::notifyInternal (this=0x7ffe04687e00, receiver=0x2a188f0, event=event@entry=0x7ffe04687ae0) at kernel/qcoreapplication.cpp:953
#29 0x00000032623b8213 in sendEvent (event=0x7ffe04687ae0, receiver=<optimized out>) at kernel/qcoreapplication.h:231
#30 QTimerInfoList::activateTimers (this=this@entry=0x20d25e0) at kernel/qeventdispatcher_unix.cpp:621
#31 0x00000032623b52d1 in timerSourceDispatch (source=source@entry=0x20d2580) at kernel/qeventdispatcher_glib.cpp:193
#32 0x00000039ea8492a6 in g_main_dispatch (context=0x20c0420) at gmain.c:3066
#33 g_main_context_dispatch (context=context@entry=0x20c0420) at gmain.c:3642
#34 0x00000039ea849628 in g_main_context_iterate (context=context@entry=0x20c0420, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3713
#35 0x00000039ea8496dc in g_main_context_iteration (context=0x20c0420, may_block=1) at gmain.c:3774
#36 0x00000032623b54ce in QEventDispatcherGlib::processEvents (this=0x20c5d00, flags=...) at kernel/qeventdispatcher_glib.cpp:450
#37 0x0000003262a6ccd6 in QGuiEventDispatcherGlib::processEvents (this=<optimized out>, flags=...) at kernel/qguieventdispatcher_glib.cpp:207
#38 0x000000326238543f in QEventLoop::processEvents (this=this@entry=0x7ffe04687d70, flags=...) at kernel/qeventloop.cpp:149
#39 0x000000326238578d in QEventLoop::exec (this=this@entry=0x7ffe04687d70, flags=...) at kernel/qeventloop.cpp:204
#40 0x000000326238ae59 in QCoreApplication::exec () at kernel/qcoreapplication.cpp:1225
#41 0x00000032629c94ec in QApplication::exec () at kernel/qapplication.cpp:3823
#42 0x0000000000409ba0 in main (argc=<optimized out>, argv=<optimized out>) at /usr/src/debug/okular-14.12.3/shell/main.cpp:64

Possible duplicates by query: bug 328263.

Reported using DrKonqi
Comment 1 Yuri Chornoivan 2015-06-23 17:18:23 UTC 
(In reply to Peter Gsellmann from comment #0)
> Application: okular (0.21.3)
> KDE Platform Version: 4.14.7
> Qt Version: 4.8.6
> Operating System: Linux 3.19.8-100.fc20.x86_64 x86_64
> Distribution: "Fedora release 20 (Heisenbug)"
>
> Unfortunately, i cannot append the involved file because it is from a
> commercial software package i am not allowed to redistribute.
> However, a limited runtime demo is downloadable at
> https://www.devart.com/mydac/ where i hope this file is included

Hi,

I have downloaded the CHM file by this address:

http://www.devart.com/mydac/mydac.chm

It was opened with Okular 0.22.60 (self-compiled from git/master) + li64chm 0.40 and no crash occurred.

Can you confirm that the above-mentioned file crashes your Okular?

Thanks in advance for your answer.
Comment 2 Yuri Chornoivan 2015-06-24 16:24:01 UTC 
Confirmed for the file kindly sent to me by Peter (not the one from devart site) and Okular from git/master. Similar symptoms.

Kchmviewer 6.0 opens the file just fine.
Comment 3 Albert Astals Cid 2015-07-01 21:08:04 UTC 
Can we actually have the file? Otherwise it's going to be close to impossible to fix (otoh the backtrace seems to point to khtml)
Comment 4 Peter Wu 2018-08-28 15:16:23 UTC 
Created attachment 114661 [details]
ASAN trace (qt5-base 5.11.1, khtml 5.49.0, okular v18.08.0-21-g6a3705535)

I cannot load the referenced mydac.chm file as it takes forever to even open and spits libpng errors. However I did observe a crash when trying to open a (confidential) CHM file and scrolling down to a page, the cause of the crash is a use-after-free of a scrollbar widget.

The page I scroll to contains a larger picture, that could be relevant. I was not able to reproduce the crash with a (text-only?) "depends.chm" from 2011 (Dependency Walker).
Comment 5 Peter Wu 2018-08-28 17:28:55 UTC 
Created attachment 114666 [details]
Minimal khtml reproducer (main.cpp)

It appears to be a KHtml bug (or API misuse in Okular).

The attached minimal reproducer triggers the same crash.
Comment 6 Justin Zobel 2020-12-02 01:24:17 UTC 
Thank you for the report.

As it has been a while since this was updated, can you please test and confirm if this issue is still occurring or if this bug report can be marked as resolved.

I have set the bug status to "needsinfo" pending your response, please change back to "reported" or "resolved" when you respond, thank you.
Comment 7 Peter Wu 2020-12-03 21:29:53 UTC 
The reproducer from comment 5 above still works, I had to add the prepend the following to CMakeLists.txt to make it build though:
cmake_minimum_required(VERSION 3.19)

Tested on Arch Linux with:
qt5-base 5.15.2-1
khtml 5.76.0-1

Trace:

==3051==ERROR: AddressSanitizer: SEGV on unknown address 0x602043800066 (pc 0x7ff672b0e819 bp 0x7ff672bf100a sp 0x7ffcbc051da0 T0)
==3051==The signal is caused by a READ memory access.
    0 0x7ff672b0e819 in QCoreApplicationPrivate::sendThroughObjectEventFilters(QObject*, QEvent*) (/usr/lib/libQt5Core.so.5+0x2b5819)
    1 0x7ff673707740 in QApplicationPrivate::notify_helper(QObject*, QEvent*) (/usr/lib/libQt5Widgets.so.5+0x15a740)
    2 0x7ff672b0ea79 in QCoreApplication::notifyInternal2(QObject*, QEvent*) (/usr/lib/libQt5Core.so.5+0x2b5a79)
    3 0x7ff6737408e7 in QWidgetPrivate::sendPaintEvent(QRegion const&) (/usr/lib/libQt5Widgets.so.5+0x1938e7)
    4 0x7ff67374115b in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, QFlags<QWidgetPrivate::DrawWidgetFlag>, QPainter*, QWidgetRepaintManager*) (/usr/lib/libQt5Widgets.so.5+0x19415b)
    5 0x7ff6737459f9 in QWidgetPrivate::render(QPaintDevice*, QPoint const&, QRegion const&, QFlags<QWidget::RenderFlag>) (/usr/lib/libQt5Widgets.so.5+0x1989f9)
    6 0x7ff673745f13 in QWidget::render(QPainter*, QPoint const&, QRegion const&, QFlags<QWidget::RenderFlag>) (/usr/lib/libQt5Widgets.so.5+0x198f13)
    7 0x7ff6737462f8 in QWidget::render(QPaintDevice*, QPoint const&, QRegion const&, QFlags<QWidget::RenderFlag>) (/usr/lib/libQt5Widgets.so.5+0x1992f8)
    8 0x7ff674b0e786  (/usr/lib/libKF5KHtml.so.5+0x3b0786)
    9 0x7ff674b0ed0c  (/usr/lib/libKF5KHtml.so.5+0x3b0d0c)
    10 0x7ff674aea5ce  (/usr/lib/libKF5KHtml.so.5+0x38c5ce)
    11 0x7ff674aef93c in khtml::RenderLayer::paintLayer(khtml::RenderLayer*, QPainter*, QRect const&, bool) (/usr/lib/libKF5KHtml.so.5+0x39193c)