[krfb] [Bug 438815] New: Crash when the stride != texture width

Thu, 17 Jun 2021 09:42:37 -0700 

https://bugs.kde.org/show_bug.cgi?id=438815

            Bug ID: 438815
           Summary: Crash when the stride != texture width
           Product: krfb
           Version: unspecified
          Platform: unspecified
                OS: Linux
            Status: REPORTED
          Severity: normal
          Priority: NOR
         Component: general
          Assignee: grundleb...@googlemail.com
          Reporter: aleix...@kde.org
  Target Milestone: ---

I get this crash when doing the memcpy(), tried debugging it didn't see what's
exactly wrong. I know it only happens on my rotated monitor (1920x1200) where
the stride != width.


/home/apol/build-devel/frameworks/krfb/bin>
/home/apol/build-devel/frameworks/krfb/bin/krfb
  Initializing D-Bus connectivity with XDG Desktop Portal
  DBus session created: 
"/org/freedesktop/portal/desktop/request/1_279/krfb1275605531"
  Initializing Pipewire connectivity
  Stream state changed:  connecting
  Stream state changed:  paused
  Stream format changed
  Stream state changed:  streaming
=================================================================
==20594==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x7f4b80cf7800 at pc 0x55e2ab8b8f7c bp 0x7f4b81550930 sp 0x7f4b815500e0
READ of size 4800 at 0x7f4b80cf7800 thread T65
    #0 0x55e2ab8b8f7b in __asan_memcpy
(/home/apol/build-devel/frameworks/krfb/bin/krfb+0x163f7b)
    #1 0x7f4bb6a4f28f in PWFrameBuffer::Private::handleFrame(pw_buffer*)
/home/apol/devel/frameworks/krfb/framebuffers/pipewire/pw_framebuffer.cpp:815:9
    #2 0x7f4bb6a3a90c in PWFrameBuffer::Private::onStreamProcess(void*)
/home/apol/devel/frameworks/krfb/framebuffers/pipewire/pw_framebuffer.cpp:636:8
    #3 0x7f4bb67c0547  (/usr/lib/libpipewire-0.3.so.0+0x6c547)
    #4 0x7f4b81eead65  (/usr/lib/spa-0.2/support/libspa-support.so+0x6d65)
    #5 0x7f4b81ee9c65  (/usr/lib/spa-0.2/support/libspa-support.so+0x5c65)
    #6 0x7f4b81eec11a  (/usr/lib/spa-0.2/support/libspa-support.so+0x811a)
    #7 0x7f4bb67c28f5  (/usr/lib/libpipewire-0.3.so.0+0x6e8f5)
    #8 0x7f4bc005c258 in start_thread (/usr/lib/libpthread.so.0+0x9258)
    #9 0x7f4bbff585e2 in clone (/usr/lib/libc.so.6+0xfe5e2)

0x7f4b80cf7800 is located 0 bytes to the right of 9216000-byte region
[0x7f4b8042d800,0x7f4b80cf7800)
allocated by thread T65 here:
    #0 0x55e2ab8ba169 in malloc
(/home/apol/build-devel/frameworks/krfb/bin/krfb+0x165169)
    #1 0x7f4bb6a4b6ed in PWFrameBuffer::Private::handleFrame(pw_buffer*)
/home/apol/devel/frameworks/krfb/framebuffers/pipewire/pw_framebuffer.cpp:707:37
    #2 0x7f4bb6a3a90c in PWFrameBuffer::Private::onStreamProcess(void*)
/home/apol/devel/frameworks/krfb/framebuffers/pipewire/pw_framebuffer.cpp:636:8
    #3 0x7f4bb67c0547  (/usr/lib/libpipewire-0.3.so.0+0x6c547)

Thread T65 created by T0 here:
    #0 0x55e2ab829454 in pthread_create
(/home/apol/build-devel/frameworks/krfb/bin/krfb+0xd4454)
    #1 0x7f4bb67c2a47 in pw_thread_loop_start
(/usr/lib/libpipewire-0.3.so.0+0x6ea47)
    #2 0x7f4bb6a4524a in
PWFrameBuffer::Private::handleRemoteDesktopStarted(unsigned int&, QMap<QString,
QVariant>&)
/home/apol/devel/frameworks/krfb/framebuffers/pipewire/pw_framebuffer.cpp:477:5
    #3 0x7f4bb6a4403f in PWFrameBuffer::handleXdpRemoteDesktopStarted(unsigned
int, QMap<QString, QVariant>)
/home/apol/devel/frameworks/krfb/framebuffers/pipewire/pw_framebuffer.cpp:431:8
    #4 0x7f4bb6a30e4d in PWFrameBuffer::qt_static_metacall(QObject*,
QMetaObject::Call, int, void**)
/home/apol/build-devel/frameworks/krfb/framebuffers/pipewire/krfb_framebuffer_pw_autogen/EWIEGA46WW/moc_pw_framebuffer.cpp:89:21
    #5 0x7f4bb6a316fa in PWFrameBuffer::qt_metacall(QMetaObject::Call, int,
void**)
/home/apol/build-devel/frameworks/krfb/framebuffers/pipewire/krfb_framebuffer_pw_autogen/EWIEGA46WW/moc_pw_framebuffer.cpp:125:13
    #6 0x7f4bc097c8ca in QDBusConnectionPrivate::deliverCall(QObject*, int,
QDBusMessage const&, QVector<int> const&, int)
/home/apol/devel/frameworks/qt5/qtbase/src/dbus/qdbusintegrator.cpp:1001:35
    #7 0x607000022fdf  (<unknown module>)

SUMMARY: AddressSanitizer: heap-buffer-overflow
(/home/apol/build-devel/frameworks/krfb/bin/krfb+0x163f7b) in __asan_memcpy
Shadow bytes around the buggy address:
  0x0fe9f0196eb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe9f0196ec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe9f0196ed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe9f0196ee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe9f0196ef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fe9f0196f00:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe9f0196f10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe9f0196f20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe9f0196f30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe9f0196f40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe9f0196f50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==20594==ABORTING
*** Failure: Exit code 1 ***

-- 
You are receiving this mail because:
You are watching all bug changes.

Reply via email to