https://bugs.kde.org/show_bug.cgi?id=438815
Bug ID: 438815 Summary: Crash when the stride != texture width Product: krfb Version: unspecified Platform: unspecified OS: Linux Status: REPORTED Severity: normal Priority: NOR Component: general Assignee: grundleb...@googlemail.com Reporter: aleix...@kde.org Target Milestone: --- I get this crash when doing the memcpy(), tried debugging it didn't see what's exactly wrong. I know it only happens on my rotated monitor (1920x1200) where the stride != width. /home/apol/build-devel/frameworks/krfb/bin> /home/apol/build-devel/frameworks/krfb/bin/krfb Initializing D-Bus connectivity with XDG Desktop Portal DBus session created: "/org/freedesktop/portal/desktop/request/1_279/krfb1275605531" Initializing Pipewire connectivity Stream state changed: connecting Stream state changed: paused Stream format changed Stream state changed: streaming ================================================================= ==20594==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f4b80cf7800 at pc 0x55e2ab8b8f7c bp 0x7f4b81550930 sp 0x7f4b815500e0 READ of size 4800 at 0x7f4b80cf7800 thread T65 #0 0x55e2ab8b8f7b in __asan_memcpy (/home/apol/build-devel/frameworks/krfb/bin/krfb+0x163f7b) #1 0x7f4bb6a4f28f in PWFrameBuffer::Private::handleFrame(pw_buffer*) /home/apol/devel/frameworks/krfb/framebuffers/pipewire/pw_framebuffer.cpp:815:9 #2 0x7f4bb6a3a90c in PWFrameBuffer::Private::onStreamProcess(void*) /home/apol/devel/frameworks/krfb/framebuffers/pipewire/pw_framebuffer.cpp:636:8 #3 0x7f4bb67c0547 (/usr/lib/libpipewire-0.3.so.0+0x6c547) #4 0x7f4b81eead65 (/usr/lib/spa-0.2/support/libspa-support.so+0x6d65) #5 0x7f4b81ee9c65 (/usr/lib/spa-0.2/support/libspa-support.so+0x5c65) #6 0x7f4b81eec11a (/usr/lib/spa-0.2/support/libspa-support.so+0x811a) #7 0x7f4bb67c28f5 (/usr/lib/libpipewire-0.3.so.0+0x6e8f5) #8 0x7f4bc005c258 in start_thread (/usr/lib/libpthread.so.0+0x9258) #9 0x7f4bbff585e2 in clone (/usr/lib/libc.so.6+0xfe5e2) 0x7f4b80cf7800 is located 0 bytes to the right of 9216000-byte region [0x7f4b8042d800,0x7f4b80cf7800) allocated by thread T65 here: #0 0x55e2ab8ba169 in malloc (/home/apol/build-devel/frameworks/krfb/bin/krfb+0x165169) #1 0x7f4bb6a4b6ed in PWFrameBuffer::Private::handleFrame(pw_buffer*) /home/apol/devel/frameworks/krfb/framebuffers/pipewire/pw_framebuffer.cpp:707:37 #2 0x7f4bb6a3a90c in PWFrameBuffer::Private::onStreamProcess(void*) /home/apol/devel/frameworks/krfb/framebuffers/pipewire/pw_framebuffer.cpp:636:8 #3 0x7f4bb67c0547 (/usr/lib/libpipewire-0.3.so.0+0x6c547) Thread T65 created by T0 here: #0 0x55e2ab829454 in pthread_create (/home/apol/build-devel/frameworks/krfb/bin/krfb+0xd4454) #1 0x7f4bb67c2a47 in pw_thread_loop_start (/usr/lib/libpipewire-0.3.so.0+0x6ea47) #2 0x7f4bb6a4524a in PWFrameBuffer::Private::handleRemoteDesktopStarted(unsigned int&, QMap<QString, QVariant>&) /home/apol/devel/frameworks/krfb/framebuffers/pipewire/pw_framebuffer.cpp:477:5 #3 0x7f4bb6a4403f in PWFrameBuffer::handleXdpRemoteDesktopStarted(unsigned int, QMap<QString, QVariant>) /home/apol/devel/frameworks/krfb/framebuffers/pipewire/pw_framebuffer.cpp:431:8 #4 0x7f4bb6a30e4d in PWFrameBuffer::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) /home/apol/build-devel/frameworks/krfb/framebuffers/pipewire/krfb_framebuffer_pw_autogen/EWIEGA46WW/moc_pw_framebuffer.cpp:89:21 #5 0x7f4bb6a316fa in PWFrameBuffer::qt_metacall(QMetaObject::Call, int, void**) /home/apol/build-devel/frameworks/krfb/framebuffers/pipewire/krfb_framebuffer_pw_autogen/EWIEGA46WW/moc_pw_framebuffer.cpp:125:13 #6 0x7f4bc097c8ca in QDBusConnectionPrivate::deliverCall(QObject*, int, QDBusMessage const&, QVector<int> const&, int) /home/apol/devel/frameworks/qt5/qtbase/src/dbus/qdbusintegrator.cpp:1001:35 #7 0x607000022fdf (<unknown module>) SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/apol/build-devel/frameworks/krfb/bin/krfb+0x163f7b) in __asan_memcpy Shadow bytes around the buggy address: 0x0fe9f0196eb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe9f0196ec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe9f0196ed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe9f0196ee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe9f0196ef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0fe9f0196f00:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0fe9f0196f10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0fe9f0196f20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0fe9f0196f30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0fe9f0196f40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0fe9f0196f50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==20594==ABORTING *** Failure: Exit code 1 *** -- You are receiving this mail because: You are watching all bug changes.