512115 – konsole double free or corruption when resizing

Bug 512115 - konsole double free or corruption when resizing

Summary: konsole double free or corruption when resizing

Status:	REPORTED

Alias:	None

Product:	konsole
Classification:	Applications
Component:	general (other bugs)
Version First Reported In:	25.08.1
Platform:	Arch Linux Linux

Importance:	NOR normal
Target Milestone:	---
Assignee:	Konsole Bugs

URL:
Keywords:

Depends on:
Blocks:

Reported:	2025-11-15 09:06 UTC by andy
Modified:	2025-11-15 09:06 UTC (History)
CC List:	0 users

See Also:
Latest Commit:
Version Fixed/Implemented In:
Sentry Crash Report:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description andy 2025-11-15 09:06:20 UTC

SUMMARY
Hacking around with a pyte script that renders a virtual terminal, I've managed to crash konsole a few times while resizing it with the journal saying `konsole[3372710]: double free or corruption (out)` and `systemd-coredump[3389111]: Process 3372710 (konsole) of user 1000 terminated abnormally with signal 6/ABRT, processing...`

STEPS TO REPRODUCE
Write a pyte script that resizes the pyte screen frequently, and spend a minute going wild with resizing the the window super quickly and with large sizes.

The main bits are
```
screen = pyte.Screen(cols, rows)
stream = pyte.Stream(screen)
screen.resize(lines=rows, columns=cols)
```

OBSERVED RESULT
`konsole[3372710]: double free or corruption (out)` and `systemd-coredump[3389111]: Process 3372710 (konsole) of user 1000 terminated abnormally with signal 6/ABRT, processing...`

backtrace shows it is something in
#7  0x00007f07709dd6b1 in ?? () from /usr/lib/libkonsoleprivate.so.25.08.1
#8  0x00007f07709e5be8 in Konsole::Screen::resizeImage(int, int) () from /usr/lib/libkonsoleprivate.so.25.08.1

EXPECTED RESULT
A program running in konsole shouldn't be able to cause a double free somewhere around Konsole::Screen::resizeImage. 

SOFTWARE/OS VERSIONS
Linux/KDE Plasma: arch linux
KDE Plasma Version: 6.4.5
KDE Frameworks Version: 6.18.0
Qt Version: 6.9.2

ADDITIONAL INFORMATION

#0  0x00007f076eb3694c in ?? () from /usr/lib/libc.so.6
#1  0x00007f076eadc410 in raise () from /usr/lib/libc.so.6
#2  0x00007f076eac357a in abort () from /usr/lib/libc.so.6
#3  0x00007f076eac4613 in ?? () from /usr/lib/libc.so.6
#4  0x00007f076eb40d65 in ?? () from /usr/lib/libc.so.6
#5  0x00007f076eb42d80 in ?? () from /usr/lib/libc.so.6
#6  0x00007f076eb42f91 in ?? () from /usr/lib/libc.so.6
#7  0x00007f07709dd6b1 in ?? () from /usr/lib/libkonsoleprivate.so.25.08.1
#8  0x00007f07709e5be8 in Konsole::Screen::resizeImage(int, int) () from /usr/lib/libkonsoleprivate.so.25.08.1
#9  0x00007f07709bd4fd in ?? () from /usr/lib/libkonsoleprivate.so.25.08.1
#10 0x00007f076f11966f in ?? () from /usr/lib/libQt6Core.so.6
#11 0x00007f0770a792d5 in Konsole::TerminalDisplay::changedContentSizeSignal(int, int) () from /usr/lib/libkonsoleprivate.so.25.08.1
#12 0x00007f0770a71760 in Konsole::TerminalDisplay::updateImageSize() () from /usr/lib/libkonsoleprivate.so.25.08.1
#13 0x00007f0770a72ea1 in Konsole::TerminalDisplay::resizeEvent(QResizeEvent*) () from /usr/lib/libkonsoleprivate.so.25.08.1
#14 0x00007f07700c0586 in QWidget::event(QEvent*) () from /usr/lib/libQt6Widgets.so.6
#15 0x00007f0770065dd0 in QApplicationPrivate::notify_helper(QObject*, QEvent*) () from /usr/lib/libQt6Widgets.so.6
#16 0x00007f076f0ad678 in QCoreApplication::notifyInternal2(QObject*, QEvent*) () from /usr/lib/libQt6Core.so.6
#17 0x00007f07700ba0f1 in QWidgetPrivate::setGeometry_sys(int, int, int, int, bool) () from /usr/lib/libQt6Widgets.so.6
#18 0x00007f07700ba60a in QWidget::setGeometry(QRect const&) () from /usr/lib/libQt6Widgets.so.6
#19 0x00007f07702aa198 in ?? () from /usr/lib/libQt6Widgets.so.6
#20 0x00007f07702aacb6 in ?? () from /usr/lib/libQt6Widgets.so.6
#21 0x00007f07700c0586 in QWidget::event(QEvent*) () from /usr/lib/libQt6Widgets.so.6
#22 0x00007f077012cff6 in QFrame::event(QEvent*) () from /usr/lib/libQt6Widgets.so.6
#23 0x00007f0770065dd0 in QApplicationPrivate::notify_helper(QObject*, QEvent*) () from /usr/lib/libQt6Widgets.so.6
#24 0x00007f076f0ad678 in QCoreApplication::notifyInternal2(QObject*, QEvent*) () from /usr/lib/libQt6Core.so.6
#25 0x00007f07700ba0f1 in QWidgetPrivate::setGeometry_sys(int, int, int, int, bool) () from /usr/lib/libQt6Widgets.so.6
#26 0x00007f07700ba60a in QWidget::setGeometry(QRect const&) () from /usr/lib/libQt6Widgets.so.6
#27 0x00007f0770093a0c in QLayoutPrivate::doResize() () from /usr/lib/libQt6Widgets.so.6
#28 0x00007f0770065db4 in QApplicationPrivate::notify_helper(QObject*, QEvent*) () from /usr/lib/libQt6Widgets.so.6
#29 0x00007f076f0ad678 in QCoreApplication::notifyInternal2(QObject*, QEvent*) () from /usr/lib/libQt6Core.so.6
#30 0x00007f07700ba0f1 in QWidgetPrivate::setGeometry_sys(int, int, int, int, bool) () from /usr/lib/libQt6Widgets.so.6
#31 0x00007f07700ba60a in QWidget::setGeometry(QRect const&) () from /usr/lib/libQt6Widgets.so.6
#32 0x00007f07702dbb2f in QTabWidget::setUpLayout(bool) () from /usr/lib/libQt6Widgets.so.6
#33 0x00007f07700c0586 in QWidget::event(QEvent*) () from /usr/lib/libQt6Widgets.so.6
#34 0x00007f0770065dd0 in QApplicationPrivate::notify_helper(QObject*, QEvent*) () from /usr/lib/libQt6Widgets.so.6
#35 0x00007f076f0ad678 in QCoreApplication::notifyInternal2(QObject*, QEvent*) () from /usr/lib/libQt6Core.so.6
#36 0x00007f07700ba0f1 in QWidgetPrivate::setGeometry_sys(int, int, int, int, bool) () from /usr/lib/libQt6Widgets.so.6
#37 0x00007f07700ba60a in QWidget::setGeometry(QRect const&) () from /usr/lib/libQt6Widgets.so.6
#38 0x00007f07700ca7e2 in QWidget::qt_metacall(QMetaObject::Call, int, void**) () from /usr/lib/libQt6Widgets.so.6
#39 0x00007f07702dd06e in QTabWidget::qt_metacall(QMetaObject::Call, int, void**) () from /usr/lib/libQt6Widgets.so.6
#40 0x00007f0770ae5a0f in Konsole::TabbedViewContainer::qt_metacall(QMetaObject::Call, int, void**) () from /usr/lib/libkonsoleprivate.so.25.08.1
#41 0x00007f076f24c660 in QPropertyAnimation::updateCurrentValue(QVariant const&) () from /usr/lib/libQt6Core.so.6
#42 0x00007f076f257dc7 in ?? () from /usr/lib/libQt6Core.so.6
#43 0x00007f076f251797 in QPropertyAnimation::updateState(QAbstractAnimation::State, QAbstractAnimation::State) () from /usr/lib/libQt6Core.so.6
#44 0x00007f076f246484 in QAbstractAnimationPrivate::setState(QAbstractAnimation::State) () from /usr/lib/libQt6Core.so.6
#45 0x00007f077012b298 in ?? () from /usr/lib/libQt6Widgets.so.6
#46 0x00007f07701f12af in ?? () from /usr/lib/libQt6Widgets.so.6
#47 0x00007f07702458ea in ?? () from /usr/lib/libQt6Widgets.so.6
#48 0x00007f0770093a0c in QLayoutPrivate::doResize() () from /usr/lib/libQt6Widgets.so.6
#49 0x00007f0770065db4 in QApplicationPrivate::notify_helper(QObject*, QEvent*) () from /usr/lib/libQt6Widgets.so.6
#50 0x00007f076f0ad678 in QCoreApplication::notifyInternal2(QObject*, QEvent*) () from /usr/lib/libQt6Core.so.6
#51 0x00007f07700ddbe5 in ?? () from /usr/lib/libQt6Widgets.so.6
#52 0x00007f0770065dd0 in QApplicationPrivate::notify_helper(QObject*, QEvent*) () from /usr/lib/libQt6Widgets.so.6
#53 0x00007f076f0ad678 in QCoreApplication::notifyInternal2(QObject*, QEvent*) () from /usr/lib/libQt6Core.so.6
#54 0x00007f076f7f7509 in QGuiApplicationPrivate::processGeometryChangeEvent(QWindowSystemInterfacePrivate::GeometryChangeEvent*) () from /usr/lib/libQt6Gui.so.6
#55 0x00007f076f869e18 in void QWindowSystemInterface::handleGeometryChange<QWindowSystemInterface::SynchronousDelivery>(QWindow*, QRect const&) () from /usr/lib/libQt6Gui.so.6
#56 0x00007f076bf00eeb in QtWaylandClient::QWaylandWindow::setGeometry(QRect const&) () from /usr/lib/libQt6WaylandClient.so.6
#57 0x00007f076befab23 in QtWaylandClient::QWaylandWindow::resizeFromApplyConfigure(QSize const&, QPoint const&) () from /usr/lib/libQt6WaylandClient.so.6
#58 0x00007f0770beffe4 in QtWaylandClient::QWaylandXdgSurface::Toplevel::applyConfigure() () from /usr/lib/qt6/plugins/wayland-shell-integration/libxdg-shell.so
#59 0x00007f0770bf0edf in QtWaylandClient::QWaylandXdgSurface::applyConfigure() () from /usr/lib/qt6/plugins/wayland-shell-integration/libxdg-shell.so
#60 0x00007f076bf01312 in QtWaylandClient::QWaylandWindow::applyConfigure() () from /usr/lib/libQt6WaylandClient.so.6
#61 0x00007f076f106a74 in QObject::event(QEvent*) () from /usr/lib/libQt6Core.so.6
#62 0x00007f0770065dd0 in QApplicationPrivate::notify_helper(QObject*, QEvent*) () from /usr/lib/libQt6Widgets.so.6
#63 0x00007f076f0ad678 in QCoreApplication::notifyInternal2(QObject*, QEvent*) () from /usr/lib/libQt6Core.so.6
#64 0x00007f076f0ada5b in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) () from /usr/lib/libQt6Core.so.6
#65 0x00007f076f3887f8 in ?? () from /usr/lib/libQt6Core.so.6
#66 0x00007f076ca57f4d in ?? () from /usr/lib/libglib-2.0.so.0
#67 0x00007f076ca59617 in ?? () from /usr/lib/libglib-2.0.so.0
#68 0x00007f076ca59825 in g_main_context_iteration () from /usr/lib/libglib-2.0.so.0
#69 0x00007f076f384fe2 in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/libQt6Core.so.6
#70 0x00007f076f0b9ca6 in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/libQt6Core.so.6
#71 0x00007f076f0b1d21 in QCoreApplication::exec() () from /usr/lib/libQt6Core.so.6
#72 0x000055e338e3fb8d in ?? ()
#73 0x00007f076eac5675 in ?? () from /usr/lib/libc.so.6
#74 0x00007f076eac5729 in __libc_start_main () from /usr/lib/libc.so.6
#75 0x000055e338e405f5 in ?? ()