Bug 356806 - use-after-free crash on closing ark after opening a damaged archive
Summary: use-after-free crash on closing ark after opening a damaged archive
Status: RESOLVED FIXED
Alias: None
Product: ark
Classification: Applications
Component: general (show other bugs)
Version: 2.19
Platform: Compiled Sources Linux
: NOR crash
Target Milestone: ---
Assignee: Elvis Angelaccio
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-12-17 01:43 UTC by Santhiar
Modified: 2016-04-11 09:41 UTC (History)
1 user (show)

See Also:
Latest Commit:
Version Fixed In: 16.04.0

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.
Description Santhiar 2015-12-17 01:43:32 UTC 
Ark crashes with a use-after-free bug when it is closed while an error window reporting "Error opening archive" is open. This error window is displayed, for example, when ark is used to open an incomplete download of a tar.gz file.


Reproducible: Always

Steps to Reproduce:
1. Open an incompletely downloaded tar.gz file with ark using File --> Open
2. When the "Error opening archive" window is displayed, 
3. Issue "qdbus `qdbus | grep ark` /ark/MainWindow_1/actions/file_quit trigger" from the command line

Actual Results:  
Ark crashes

Expected Results:  
Ark closes smoothly

This crash is a use-after-free bug. I have included the stacks obtained from a build of ark instrumented using AddressSanitizer below.

=======
Version
=======
Qt: 4.8.7
KDE Development Platform: 4.14.13
Ark: 2.19

===========
KCrash Stack
===========
Application: Ark (ark), signal: Segmentation fault
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[KCrash Handler]
#6  0x00007f03c6733d2f in QScopedPointerDeleter<Kerfuffle::Archive>::cleanup (pointer=0x6465727265666544) at qt4/include/QtCore/qscopedpointer.h:62
#7  0x00007f03c672d7a3 in QScopedPointer<Kerfuffle::Archive, QScopedPointerDeleter<Kerfuffle::Archive> >::reset (this=0xc3e570, other=0x0) at qt4/include/QtCore/qscopedpointer.h:149
#8  0x00007f03c6746abf in ArchiveModel::setArchive (this=0xc3e550, archive=0x8) at KDE/kde/kdeutils/ark/part/archivemodel.cpp:865
#9  0x00007f03c672672a in Ark::Part::slotLoadingFinished (this=0xb88660, job=<optimized out>) at KDE/kde/kdeutils/ark/part/part.cpp:507
#10 0x00007f03c671c94d in Ark::Part::qt_static_metacall (_o=0xb88660, _c=<optimized out>, _id=<optimized out>, _a=0x7fffe2fe82d0) at KDE/build/kde/kdeutils/ark/part/moc_part.cpp:103
#11 0x00007f03d0e0e607 in QMetaObject::activate (sender=0xc3e550, m=0x7f03c69b6ac0 <ArchiveModel::staticMetaObject>, local_signal_index=1, argv=0x7fffe2fe82d0) at kernel/qobject.cpp:3569
#12 0x00007f03c6746a2a in ArchiveModel::loadingFinished (this=0x6465727265666544, _t1=0xf1daf0) at KDE/build/kde/kdeutils/ark/part/archivemodel.moc:137
#13 0x00007f03c6746933 in ArchiveModel::slotLoadingFinished (this=0xc3e550, job=<optimized out>) at KDE/kde/kdeutils/ark/part/archivemodel.cpp:841
#14 0x00007f03c6747be7 in ArchiveModel::qt_static_metacall (_o=0xc3e550, _c=<optimized out>, _id=<optimized out>, _a=0x7f03bc037f20) at KDE/build/kde/kdeutils/ark/part/archivemodel.moc:79
#15 0x00007f03d0e0569d in QMetaCallEvent::placeMetaCall (this=0x7f03bc037f60, object=0xc3e550) at kernel/qobject.cpp:524
#16 0x00007f03d0e07a10 in QObject::event (this=0xc3e550, e=0x7f03bc037f60) at kernel/qobject.cpp:1222
#17 0x00007f03d283948f in QApplicationPrivate::notify_helper (this=0xa770f0, receiver=0xc3e550, e=0x7f03bc037f60) at kernel/qapplication.cpp:4565
#18 0x00007f03d283ba8e in QApplication::notify (this=0x7fffe2fe9e58, receiver=0xc3e550, e=0x7f03bc037f60) at kernel/qapplication.cpp:3947
#19 0x00007f03d3bdcf7b in KApplication::notify (this=0x7fffe2fe9e58, receiver=0xc3e550, event=0x7f03bc037f60) at KDE/kde/kdelibs/kdeui/kernel/kapplication.cpp:311
#20 0x00007f03d0de6dc6 in QCoreApplication::notifyInternal (this=0x7fffe2fe9e58, receiver=0xc3e550, event=0x7f03bc037f60) at kernel/qcoreapplication.cpp:955
#21 0x00007f03d0deb54a in QCoreApplication::sendEvent (receiver=0xc3e550, event=0x7f03bc037f60) at qt/src/corelib/../../include/QtCore/../../src/corelib/kernel/qcoreapplication.h:231
#22 0x00007f03d0de83f4 in QCoreApplicationPrivate::sendPostedEvents (receiver=0x0, event_type=0, data=0xa484e0) at kernel/qcoreapplication.cpp:1609
#23 0x00007f03d0e392f7 in QEventDispatcherUNIX::processEvents (this=0xa4fbc0, flags=...) at kernel/qeventdispatcher_unix.cpp:908
#24 0x00007f03d295166a in QEventDispatcherX11::processEvents (this=0xa4fbc0, flags=...) at kernel/qeventdispatcher_x11.cpp:179
#25 0x00007f03d0de1f6c in QEventLoop::processEvents (this=0x7fffe2fe9c20, flags=...) at kernel/qeventloop.cpp:149
#26 0x00007f03d0de2332 in QEventLoop::exec (this=0x7fffe2fe9c20, flags=...) at kernel/qeventloop.cpp:225
#27 0x00007f03d0de75ee in QCoreApplication::exec () at kernel/qcoreapplication.cpp:1229
#28 0x00007f03d283b526 in QApplication::exec () at kernel/qapplication.cpp:3823
#29 0x0000000000412a4e in main (argc=<optimized out>, argv=<optimized out>) at KDE/kde/kdeutils/ark/app/main.cpp:206

===================
AddressSanitizer Stack
===================
==19894==ERROR: AddressSanitizer: heap-use-after-free on address 0x60f000015008 at pc 0x7f6d8f612f47 bp 0x7fff75fd10b0 sp 0x7fff75fd10a8
READ of size 8 at 0x60f000015008 thread T0
    #0 0x7f6d8f612f46 in Ark::Part::slotLoadingFinished(KJob*) KDE/kde/kdeutils/ark/part/part.cpp:507
    #1 0x7f6d8f5f85f4 in Ark::Part::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) KDE/build-asan/kde/kdeutils/ark/part/moc_part.cpp:103
    #2 0x7f6d9e5ed606 in QMetaObject::activate(QObject*, QMetaObject const*, int, void**) (qt4/lib/libQtCore.so.4+0x255606)
    #3 0x7f6d8f657865 in ArchiveModel::loadingFinished(KJob*) KDE/build-asan/kde/kdeutils/ark/part/archivemodel.moc:137
    #4 0x7f6d8f657865 in ArchiveModel::slotLoadingFinished(KJob*) KDE/kde/kdeutils/ark/part/archivemodel.cpp:841
    #5 0x7f6d8f65b88e in ArchiveModel::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) KDE/build-asan/kde/kdeutils/ark/part/archivemodel.moc:79
    #6 0x7f6d9e5e469c in QMetaCallEvent::placeMetaCall(QObject*) (qt4/lib/libQtCore.so.4+0x24c69c)
    #7 0x7f6d9e5e6a0f in QObject::event(QEvent*) (qt4/lib/libQtCore.so.4+0x24ea0f)
    #8 0x7f6d9fb2b48e in QApplicationPrivate::notify_helper(QObject*, QEvent*) (qt4/lib/libQtGui.so.4+0x23548e)
    #9 0x7f6d9fb2da8d in QApplication::notify(QObject*, QEvent*) (qt4/lib/libQtGui.so.4+0x237a8d)
    #10 0x7f6da13ed340 in KApplication::notify(QObject*, QEvent*) KDE/kde/kdelibs/kdeui/kernel/kapplication.cpp:311
    #11 0x7f6d9e5c5dc5 in QCoreApplication::notifyInternal(QObject*, QEvent*) (qt4/lib/libQtCore.so.4+0x22ddc5)
    #12 0x7f6d9e5ca549 in QCoreApplication::sendEvent(QObject*, QEvent*) (qt4/lib/libQtCore.so.4+0x232549)
    #13 0x7f6d9e5c73f3 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) (qt4/lib/libQtCore.so.4+0x22f3f3)
    #14 0x7f6d9e6182f6 in QEventDispatcherUNIX::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qt4/lib/libQtCore.so.4+0x2802f6)
    #15 0x7f6d9fc43669 in QEventDispatcherX11::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qt4/lib/libQtGui.so.4+0x34d669)
    #16 0x7f6d9e5c0f6b in QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qt4/lib/libQtCore.so.4+0x228f6b)
    #17 0x7f6d9e5c1331 in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (qt4/lib/libQtCore.so.4+0x229331)
    #18 0x7f6d9e5c65ed in QCoreApplication::exec() (qt4/lib/libQtCore.so.4+0x22e5ed)
    #19 0x7f6d9fb2d525 in QApplication::exec() (qt4/lib/libQtGui.so.4+0x237525)
    #20 0x461a30 in main (KDE/install-asan/bin/ark+0x461a30)
    #21 0x7f6d9d1bc76c (/lib/x86_64-linux-gnu/libc.so.6+0x2176c)
    #22 0x44e9dc in _start (KDE/install-asan/bin/ark+0x44e9dc)
0x60f000015008 is located 40 bytes inside of 176-byte region [0x60f000014fe0,0x60f000015090)
freed by thread T0 here:
    #0 0x439ffa in operator delete(void*) (KDE/install-asan/bin/ark+0x439ffa)
    #1 0x7f6d8f600a49 in Ark::Part::~Part() KDE/kde/kdeutils/ark/part/part.cpp:141
    #2 0x46a0fc in MainWindow::~MainWindow() (KDE/install-asan/bin/ark+0x46a0fc)
    #3 0x469963 in MainWindow::~MainWindow() (KDE/install-asan/bin/ark+0x469963)
    #4 0x7f6d9e5e6e3d in qDeleteInEventHandler(QObject*) (qt4/lib/libQtCore.so.4+0x24ee3d)
    #5 0x7f6d9e5e69a7 in QObject::event(QEvent*) (qt4/lib/libQtCore.so.4+0x24e9a7)
    #6 0x7f6d9fbb6345 in QWidget::event(QEvent*) (qt4/lib/libQtGui.so.4+0x2c0345)
    #7 0x7f6da01d7f72 in QMainWindow::event(QEvent*) (qt4/lib/libQtGui.so.4+0x8e1f72)
    #8 0x7f6da170d133 in KMainWindow::event(QEvent*) KDE/kde/kdelibs/kdeui/widgets/kmainwindow.cpp:1126
    #9 0x7f6da18130b2 in KXmlGuiWindow::event(QEvent*) KDE/kde/kdelibs/kdeui/xmlgui/kxmlguiwindow.cpp:126
    #10 0x7f6d9fb2b48e in QApplicationPrivate::notify_helper(QObject*, QEvent*) (qt4/lib/libQtGui.so.4+0x23548e)
    #11 0x7f6d9fb3132b in QApplication::notify(QObject*, QEvent*) (qt4/lib/libQtGui.so.4+0x23b32b)
    #12 0x7f6da13ed340 in KApplication::notify(QObject*, QEvent*) KDE/kde/kdelibs/kdeui/kernel/kapplication.cpp:311
    #13 0x7f6d9e5c5dc5 in QCoreApplication::notifyInternal(QObject*, QEvent*) (qt4/lib/libQtCore.so.4+0x22ddc5)
    #14 0x7f6d9e5ca549 in QCoreApplication::sendEvent(QObject*, QEvent*) (qt4/lib/libQtCore.so.4+0x232549)
    #15 0x7f6d9e5c73f3 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) (qt4/lib/libQtCore.so.4+0x22f3f3)
    #16 0x7f6d9e6182f6 in QEventDispatcherUNIX::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qt4/lib/libQtCore.so.4+0x2802f6)
    #17 0x7f6d9fc43669 in QEventDispatcherX11::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qt4/lib/libQtGui.so.4+0x34d669)
    #18 0x7f6d9e5c0f6b in QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qt4/lib/libQtCore.so.4+0x228f6b)
    #19 0x7f6d9e5c1331 in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (qt4/lib/libQtCore.so.4+0x229331)
    #20 0x7f6da02dfc8a in QDialog::exec() (qt4/lib/libQtGui.so.4+0x9e9c8a)
    #21 0x7f6da11799dc in KMessageBox::createKMessageBox(KDialog*, QIcon const&, QString const&, QStringList const&, QString const&, bool*, QFlags<KMessageBox::Option>, QString const&, QMessageBox::Icon) KDE/kde/kdelibs/kdeui/dialogs/kmessagebox.cpp:344
    #22 0x7f6da1176fe1 in KMessageBox::createKMessageBox(KDialog*, QMessageBox::Icon, QString const&, QStringList const&, QString const&, bool*, QFlags<KMessageBox::Option>, QString const&) KDE/kde/kdelibs/kdeui/dialogs/kmessagebox.cpp:158
    #23 0x7f6da1189f44 in KMessageBox::sorryWId(unsigned long, QString const&, QString const&, QFlags<KMessageBox::Option>) KDE/kde/kdelibs/kdeui/dialogs/kmessagebox.cpp:928
    #24 0x7f6da118990d in KMessageBox::sorry(QWidget*, QString const&, QString const&, QFlags<KMessageBox::Option>) KDE/kde/kdelibs/kdeui/dialogs/kmessagebox.cpp:907
    #25 0x7f6d8f6128f3 in Ark::Part::slotLoadingFinished(KJob*) KDE/kde/kdeutils/ark/part/part.cpp:504
    #26 0x7f6d8f5f85f4 in Ark::Part::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) KDE/build-asan/kde/kdeutils/ark/part/moc_part.cpp:103
    #27 0x7f6d9e5ed606 in QMetaObject::activate(QObject*, QMetaObject const*, int, void**) (qt4/lib/libQtCore.so.4+0x255606)
    #28 0x7f6d8f657865 in ArchiveModel::loadingFinished(KJob*) KDE/build-asan/kde/kdeutils/ark/part/archivemodel.moc:137
    #29 0x7f6d8f657865 in ArchiveModel::slotLoadingFinished(KJob*) KDE/kde/kdeutils/ark/part/archivemodel.cpp:841
    #30 0x7f6d8f65b88e in ArchiveModel::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) KDE/build-asan/kde/kdeutils/ark/part/archivemodel.moc:79
    #31 0x7f6d9e5e469c in QMetaCallEvent::placeMetaCall(QObject*) (qt4/lib/libQtCore.so.4+0x24c69c)
    #32 0x7f6d9e5e6a0f in QObject::event(QEvent*) (qt4/lib/libQtCore.so.4+0x24ea0f)
    #33 0x7f6d9fb2b48e in QApplicationPrivate::notify_helper(QObject*, QEvent*) (qt4/lib/libQtGui.so.4+0x23548e)
    #34 0x7f6d9fb2da8d in QApplication::notify(QObject*, QEvent*) (qt4/lib/libQtGui.so.4+0x237a8d)
    #35 0x7f6da13ed340 in KApplication::notify(QObject*, QEvent*) KDE/kde/kdelibs/kdeui/kernel/kapplication.cpp:311
    #36 0x7f6d9e5c5dc5 in QCoreApplication::notifyInternal(QObject*, QEvent*) (qt4/lib/libQtCore.so.4+0x22ddc5)
    #37 0x7f6d9e5ca549 in QCoreApplication::sendEvent(QObject*, QEvent*) (qt4/lib/libQtCore.so.4+0x232549)
    #38 0x7f6d9e5c73f3 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) (qt4/lib/libQtCore.so.4+0x22f3f3)
    #39 0x7f6d9e6182f6 in QEventDispatcherUNIX::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qt4/lib/libQtCore.so.4+0x2802f6)
    #40 0x7f6d9fc43669 in QEventDispatcherX11::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qt4/lib/libQtGui.so.4+0x34d669)
    #41 0x7f6d9e5c0f6b in QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qt4/lib/libQtCore.so.4+0x228f6b)
    #42 0x7f6d9e5c1331 in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (qt4/lib/libQtCore.so.4+0x229331)
    #43 0x7f6d9e5c65ed in QCoreApplication::exec() (qt4/lib/libQtCore.so.4+0x22e5ed)
    #44 0x7f6d9fb2d525 in QApplication::exec() (qt4/lib/libQtGui.so.4+0x237525)
    #45 0x461a30 in main (KDE/install-asan/bin/ark+0x461a30)
    #46 0x7f6d9d1bc76c (/lib/x86_64-linux-gnu/libc.so.6+0x2176c)
    #47 0x44e9dc in _start (KDE/install-asan/bin/ark+0x44e9dc)
previously allocated by thread T0 here:
    #0 0x439d7a in operator new(unsigned long) (KDE/install-asan/bin/ark+0x439d7a)
    #1 0x7f6d8f62ac49 in QObject* KPluginFactory::createPartInstance<Ark::Part>(QWidget*, QObject*, QList<QVariant> const&) KDE/install-asan/include/kpluginfactory.h:483
    #2 0x7f6d9f41e0cc in KPluginFactory::create(char const*, QWidget*, QObject*, QList<QVariant> const&, QString const&) KDE/kde/kdelibs/kdecore/util/kpluginfactory.cpp:203
    #3 0x4704f4 in KParts::ReadWritePart* KPluginFactory::create<KParts::ReadWritePart>(QObject*, QList<QVariant> const&) (KDE/install-asan/bin/ark+0x4704f4)
    #4 0x46bc23 in MainWindow::loadPart() (KDE/install-asan/bin/ark+0x46bc23)
    #5 0x46133c in main (KDE/install-asan/bin/ark+0x46133c)
    #6 0x7f6d9d1bc76c (/lib/x86_64-linux-gnu/libc.so.6+0x2176c)
    #7 0x44e9dc in _start (KDE/install-asan/bin/ark+0x44e9dc)
SUMMARY: AddressSanitizer: heap-use-after-free KDE/kde/kdeutils/ark/part/part.cpp:507 Ark::Part::slotLoadingFinished(KJob*)
Shadow bytes around the buggy address:
  0x0c1e7fffa9b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1e7fffa9c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1e7fffa9d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fd fd
  0x0c1e7fffa9e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c1e7fffa9f0: fd fd fd fd fa fa fa fa fa fa fa fa fd fd fd fd
=>0x0c1e7fffaa00: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c1e7fffaa10: fd fd fa fa fa fa fa fa fa fa 00 00 00 00 00 00
  0x0c1e7fffaa20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
  0x0c1e7fffaa30: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c1e7fffaa40: 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa
  0x0c1e7fffaa50: fa fa fa fa fa fa 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap right redzone:    fb
  Freed heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==19894==ABORTING
Comment 1 Elvis Angelaccio 2015-12-17 18:19:26 UTC 
I can confirm the crash with Ark 15.12. Thanks for reporting.
Comment 2 Elvis Angelaccio 2016-04-11 09:41:12 UTC 
I'm marking this one as fixed in 16.04...
We don't have anymore the "Error opening archive" messagebox (a message widget in the main window will be displayed instead), so I can't reproduce the crash on the 16.04 branch.

(Even the dbus command doesn't work anymore, I get a "No such object path '/ark/MainWindow_1/actions/file_quit'" error).