Bug#741564: libkio5: libkio : segmentation fault caused by KFileItemDelegate

[Paul Chavent <paul.chavent@fnac.net>]

Some precisions.

The SIGSEGV arise when we hover mouse on files in the file chooser dialog.

The problems seems to be that KFileItemDelegate::paint ask for a state with d->animationState(...) and get a state that can have been deleted meanwhile (see kio/kio/kfileitemdelegate.cpp:~1271).

Indeed, DelegateAnimationHandler::animationState (in kio/kio/delegateanimationhandler.cpp:~330) calls setSequenceIndex(0) which has the effect of finally call DelegateAnimationHandler::runAnimations and delete state (in kio/kio/delegateanimationhandler.cpp:~440).

Regards.

Paul.

On 03/13/2014 10:46 PM, Paul Chavent wrote:
> Package: libkio5
> Version: 4:4.11.3-2
> Severity: important
>
> Dear Maintainer,
>
> If i use the libreoffice-kde integration package, the opening of a file dialog
> rises a SIGSEGV.
>
> If i try to attach to the process with gdb or valgrind the problem disapear.
>
> However, i can get a coredump that gives :
>
> Core was generated by `/usr/lib/libreoffice/program/soffice.bin --splash-
> pipe=5'.
> Program terminated with signal 11, Segmentation fault.
> #0  checkValidity (current=..., this=0x540058) at
> .../../kio/kio/delegateanimationhandler_p.h:46
> (gdb) where
> #0  checkValidity (current=..., this=0x540058) at
> .../../kio/kio/delegateanimationhandler_p.h:46
> #1  KFileItemDelegate::paint (this=0x27644d0, painter=0x7fff702f0090,
> option=..., index=...) at ../../kio/kio/kfileitemdelegate.cpp:1291
> #2  0x00007fe31f539791 in QListView::paintEvent (this=0x27769d0, e=<optimized
> out>) at itemviews/qlistview.cpp:1039
> #3  0x00007fe31f071ab0 in QWidget::event (this=this@entry=0x27769d0,
> event=event@entry=0x7fff702f0860) at kernel/qwidget.cpp:8533
> #4  0x00007fe31f40fc5e in QFrame::event (this=0x27769d0, e=0x7fff702f0860) at
> widgets/qframe.cpp:557
> [...]
>
> I also tried to change the line 1291 of kio/kio/kfileitemdelegate.cpp with
>
>              fprintf(stderr, "cache = %p\n", cache);
>              fprintf(stderr, "  valid = %d\n", cache->valid);
>              if (cache->checkValidity(opt.state) && cache->regular.size() ==
> opt.rect.size())
>
> When i run libreoffice and open filechooser dialog i get :
>
> cache = 0x3a37b80
>    valid = 1
> cache = 0x3a37b80
>    valid = 1
> cache = 0x540058
> SIGSEGV
>
> So cache pointer seems to be corrupted.
>
>
>
>
> -- System Information:
> Debian Release: jessie/sid
>    APT prefers testing-updates
>    APT policy: (500, 'testing-updates'), (500, 'testing')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 3.12-1-amd64 (SMP w/2 CPU cores)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
>
> Versions of packages libkio5 depends on:
> ii  libacl1             2.2.52-1
> ii  libattr1            1:2.4.47-1
> ii  libc6               2.18-4
> ii  libkdecore5         4:4.11.3-2
> ii  libkdeui5           4:4.11.3-2
> ii  libnepomuk4         4:4.11.3-2
> ii  libqt4-dbus         4:4.8.5+git209-g718fae5+dfsg-1
> ii  libqt4-network      4:4.8.5+git209-g718fae5+dfsg-1
> ii  libqt4-svg          4:4.8.5+git209-g718fae5+dfsg-1
> ii  libqt4-xml          4:4.8.5+git209-g718fae5+dfsg-1
> ii  libqtcore4          4:4.8.5+git209-g718fae5+dfsg-1
> ii  libqtgui4           4:4.8.5+git209-g718fae5+dfsg-1
> ii  libsolid4           4:4.11.3-2
> ii  libstdc++6          4.8.2-16
> ii  libstreamanalyzer0  0.7.8-1+b1
> ii  libx11-6            2:1.6.2-1
> ii  libxrender1         1:0.9.8-1
>
> Versions of packages libkio5 recommends:
> ii  kdelibs5-plugins  4:4.11.3-2
>
> libkio5 suggests no packages.
>
> -- no debconf information