https://bugs.kde.org/show_bug.cgi?id=514900
Bug ID: 514900
Summary: Crash in maliit-keyboard (SIGSEGV in _mm_loadu_si128)
due to invalid surrounding_text length (6881396)
Classification: Plasma
Product: kwin
Version First 6.5.5
Reported In:
Platform: Fedora RPMs
OS: Linux
Status: REPORTED
Severity: crash
Priority: NOR
Component: virtual-keyboard
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ---
SUMMARY
Crash in maliit-keyboard (SIGSEGV in _mm_loadu_si128) due to invalid
surrounding_text length (6881396)
STEPS TO REPRODUCE
1. Use Fedora 43 with KDE Plasma 6.5.5 on a Wayland session.
2. Ensure maliit-keyboard is active or set as the virtual keyboard.
3. Interact with text input fields, crash may occur.
OBSERVED RESULT
Maliit keyboard crashes
EXPECTED RESULT
Maliit keyboard should not crash
SOFTWARE/OS VERSIONS
Operating System: Fedora Linux 43 (Kinoite)
KDE Plasma Version: 6.5.5
KDE Frameworks Version: 6.22.0
Qt Version: 6.10.1
Kernel Version: 6.18.5-200.fc43.x86_64 (64-bit)
Graphics Platform: Wayland
Processors: 6 × Intel® Core™ i5-9400F CPU @ 2.90GHz
Graphics Processor: NVIDIA GeForce GTX 1650
ADDITIONAL INFORMATION
Full backtrace:
#0 _mm_loadu_si128(long long __vector(2) const*) (__P=<optimized out>)
at /usr/lib/gcc/x86_64-redhat-linux/15/include/emmintrin.h:1462
No locals.
#1 simdDecodeAscii (dst=<optimized out>, nextAscii=<optimized out>,
src=<optimized out>, end=<optimized out>)
at codecs/qutfcodec.cpp:139
data = <error reading variable data (Cannot access memory at address
0x559dc37aa000)>
BitSpacing = 1
n = <optimized out>
#2 QUtf8::convertToUnicode (buffer=buffer@entry=0x7f89ee6df028,
chars=chars@entry=0x559dc312cdf8 "", len=len@entry=6881396)
at codecs/qutfcodec.cpp:528
dst = 0x7f89ef3c9f66
src = 0x559dc37a9ff9 ""
end = 0x559dc37bce6c <error: Cannot access memory at address 0x559dc37bce6c>
nextAscii = <optimized out>
#3 0x00007f8a47db8a38 in QUtf8::convertToUnicode (chars=0x559dc312cdf8 "",
len=6881396) at codecs/qutfcodec.cpp:487
result = {d = 0x7f89ee6df010}
data = 0x7f89ee6df028
end = <optimized out>
#4 0x00007f8a47c20aa9 in QString::fromUtf8_helper (str=<optimized out>,
size=<optimized out>) at text/qstring.cpp:5598
No locals.
#5 0x00007f8a4963d62b in QString::fromUtf8 (str=<optimized out>, size=6881396)
at /usr/include/qt5/QtCore/qstring.h:703
No locals.
#6
Maliit::Wayland::InputMethodContext::zwp_input_method_context_v1_surrounding_text
(this=0x559dc2c39360, text=...,
cursor=6881396, anchor=7209071)
at
/usr/src/debug/maliit-framework-2.3.0-10.fc43.x86_64/connection/waylandinputmethodconnection.cpp:600
utf8_text = @0x7ffc63150ea8: {d = 0x559dc312cde0}
__PRETTY_FUNCTION__ = <optimized out>
#7 0x00007f8a4963a4ba in
QtWayland::zwp_input_method_context_v1::handle_surrounding_text
(data=0x559dc2c39360,
--Type <RET> for more, q to quit, c to continue without paging--c
object=<optimized out>, text=<optimized out>, cursor=6881396, anchor=7209071)
at
/usr/src/debug/maliit-framework-2.3.0-10.fc43.x86_64/redhat-linux-build/qwayland-input-method-unstable-v1.cpp:207
No locals.
#8 0x00007f8a46fe5056 in ffi_call_unix64 () at ../src/x86/unix64.S:104
No locals.
#9 0x00007f8a46fe0d16 in ffi_call_int (cif=cif@entry=0x7ffc63151140,
fn=fn@entry=0x7f8a4963a450
<QtWayland::zwp_input_method_context_v1::handle_surrounding_text(void*,
zwp_input_method_context_v1*, char const*, unsigned int, unsigned int)>,
rvalue=<optimized out>, rvalue@entry=0x0, avalue=avalue@entry=0x7ffc63151210,
closure=closure@entry=0x0) at ../src/x86/ffi64.c:676
classes = {X86_64_INTEGERSI_CLASS, X86_64_NO_CLASS, 1191090528, 32650}
stack = <optimized out>
argp = 0x7ffc63150f90 ""
arg_types = <optimized out>
gprcount = 5
ssecount = <optimized out>
ngpr = 1
nsse = 0
i = <optimized out>
avn = <optimized out>
flags = <optimized out>
reg_args = <optimized out>
#10 0x00007f8a46fe37ae in ffi_call (cif=cif@entry=0x7ffc63151140,
fn=0x7f8a4963a450
<QtWayland::zwp_input_method_context_v1::handle_surrounding_text(void*,
zwp_input_method_context_v1*, char const*, unsigned int, unsigned int)>,
rvalue=rvalue@entry=0x0, avalue=avalue@entry=0x7ffc63151210) at
../src/x86/ffi64.c:713
arg_types = <optimized out>
i = <optimized out>
nargs = <optimized out>
max_reg_struct_size = <optimized out>
#11 0x00007f8a472e7feb in wl_closure_invoke
(closure=closure@entry=0x7f8a200049f0, target=<optimized out>,
target@entry=0x7f8a28001510, opcode=opcode@entry=0, data=<optimized out>,
flags=1) at ../src/connection.c:1241
count = 3
cif = {abi = FFI_UNIX64, nargs = 5, arg_types = 0x7ffc63151160, rtype =
0x7f8a46fe98c0 <ffi_type_void>, bytes = 0,
flags = 0}
ffi_types = {0x7f8a46fe99c0 <ffi_type_pointer>, 0x7f8a46fe99c0
<ffi_type_pointer>, 0x7f8a46fe99c0 <ffi_type_pointer>,
0x7f8a46fe9960 <ffi_type_uint32>, 0x7f8a46fe9960 <ffi_type_uint32>,
0x7f8a491359d5 <QSGGuiThreadRenderLoop::exposureChanged(QQuickWindow*)+117>,
0x559dc2c6b820, 0x7ffc631512e0, 0x0,
0x559dc2c6af20, 0x559dc29794b0, 0x3a9ae7e3db311900, 0x1, 0x559dc2c6af20,
0x7ffc631512e0, 0x559dc29794b0,
0x7ffc63151250, 0x7f8a4811a9a5 <QWindow::event(QEvent*)+293>, 0x160000000b,
0x3a9ae7e3db311900, 0x559dc2c6af20,
0x559dc2c6af20}
ffi_args = {0x7ffc63151120, 0x7ffc63151128, 0x7f8a20004a08, 0x7f8a20004a10,
0x7f8a20004a18, 0x0, 0x20, 0x7f8a4343ba40,
0x7ffc63151270, 0x7f8a47621c84 <__syscall_cancel+20>, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0,
0x7f8a488a21c8 <g_wakeup_signal+136>, 0x1, 0x3a9ae7e3db311900,
0x7f8a4870c010 <QWindowSystemInterfacePrivate::windowSystemEventQueue>,
0x559dc364e880}
implementation = <optimized out>
#12 0x00007f8a472e8e49 in dispatch_event (display=display@entry=0x559dc29862e0,
queue=queue@entry=0x559dc29863d8)
at ../src/wayland-client.c:1707
closure = 0x7f8a200049f0
proxy = 0x7f8a28001510
opcode = 0
proxy_destroyed = <optimized out>
#13 0x00007f8a472e9243 in dispatch_queue (display=0x559dc29862e0,
queue=0x559dc29863d8) at ../src/wayland-client.c:1853
count = 0
#14 wl_display_dispatch_queue_pending (display=0x559dc29862e0,
queue=0x559dc29863d8) at ../src/wayland-client.c:2190
ret = <optimized out>
#15 0x00007f8a35475afe in QtWaylandClient::QWaylandDisplay::flushRequests
(this=<optimized out>)
at
/usr/src/debug/qt5-qtwayland-5.15.18-1.fc43.x86_64/src/client/qwaylanddisplay.cpp:255
No locals.
#16 0x00007f8a47d8ccb4 in QObject::event (this=<optimized out>, e=<optimized
out>) at kernel/qobject.cpp:1347
mce = <optimized out>
sender = {previous = 0x0, receiver = 0x559dc2984440, sender = 0x559dc2a251b0,
signal = 5}
#17 0x00007f8a47d5f778 in QCoreApplication::notifyInternal2
(receiver=0x559dc2984440, event=0x7f8a28001400)
at kernel/qcoreapplication.cpp:1064
selfRequired = true
result = false
cbdata = {0x559dc2984440, 0x7f8a28001400, 0x7ffc6315147f}
d = <optimized out>
threadData = 0x559dc29794b0
scopeLevelCounter = {threadData = 0x559dc29794b0}
#18 0x00007f8a47d5f992 in QCoreApplication::sendEvent (receiver=<optimized
out>, event=<optimized out>)
at kernel/qcoreapplication.cpp:1462
No locals.
#19 0x00007f8a47d62ca8 in QCoreApplicationPrivate::sendPostedEvents
(receiver=0x0, event_type=event_type@entry=0,
data=0x559dc29794b0) at kernel/qcoreapplication.cpp:1821
e = 0x7f8a28001400
pe = <optimized out>
r = 0x559dc2984440
relocker = <optimized out>
event_deleter = {d = 0x7f8a28001400}
locker = {_M_device = 0x559dc29794e0, _M_owns = true}
startOffset = 0
i = @0x559dc29794d4: 1
cleanup = {receiver = 0x0, event_type = 0, data = 0x559dc29794b0,
exceptionCaught = true}
#20 0x00007f8a47d62f50 in QCoreApplication::sendPostedEvents
(receiver=<optimized out>, event_type=0)
at kernel/qcoreapplication.cpp:1680
data = <optimized out>
#21 0x00007f8a47db54cf in postEventSourceDispatch (s=0x559dc2a25840) at
kernel/qeventdispatcher_glib.cpp:277
source = 0x559dc2a25840
#22 0x00007f8a4884e2a3 in g_main_dispatch (context=0x7f8a30000f20) at
../glib/gmain.c:3565
dispatch = 0x7f8a47db54b0 <postEventSourceDispatch(GSource*, GSourceFunc,
gpointer)>
prev_source = 0x0
begin_time_nsec = 36065968130
was_in_call = 0
user_data = 0x0
callback = 0x0
cb_funcs = 0x0
cb_data = 0x0
need_destroy = <optimized out>
source = 0x559dc2a25840
current = 0x559dc317a2e0
i = 0
__func__ = <optimized out>
#23 g_main_context_dispatch_unlocked (context=0x7f8a30000f20) at
../glib/gmain.c:4425
No locals.
#24 0x00007f8a488571f8 in g_main_context_iterate_unlocked
(context=context@entry=0x7f8a30000f20, block=block@entry=1,
dispatch=dispatch@entry=1, self=<optimized out>) at ../glib/gmain.c:4490
max_priority = 2147483647
timeout_usec = 21985000
some_ready = 1
nfds = 1
allocated_nfds = <optimized out>
fds = <optimized out>
begin_time_nsec = <optimized out>
#25 0x00007f8a488573a3 in g_main_context_iteration (context=0x7f8a30000f20,
may_block=1) at ../glib/gmain.c:4556
retval = <optimized out>
#26 0x00007f8a47db4f67 in QEventDispatcherGlib::processEvents
(this=0x559dc2a49710, flags=...)
at kernel/qeventdispatcher_glib.cpp:423
d = 0x559dc2a24a60
canWait = <optimized out>
savedFlags = {i = 0}
result = <optimized out>
#27 0x00007f8a47d5e0e2 in QEventLoop::exec (this=this@entry=0x7ffc631517d0,
flags=..., flags@entry=...)
at ../../include/QtCore/../../src/corelib/global/qflags.h:69
d = 0x559dc31354d0
threadData = <optimized out>
locker = {val = 94136062940584}
ref = <optimized out>
app = <optimized out>
#28 0x00007f8a47d664c4 in QCoreApplication::exec () at
kernel/qcoreapplication.cpp:1375
threadData = 0x559dc29794b0
eventLoop = {<QObject> = {_vptr.QObject = 0x7f8a48083b28 <vtable for
QEventLoop+16>, static staticMetaObject = {d = {
superdata = {direct = 0x0}, stringdata = 0x7f8a47fc1380
<qt_meta_stringdata_QObject>,
data = 0x7f8a47fc1260 <qt_meta_data_QObject>,
static_metacall = 0x7f8a47d93620 <QObject::qt_static_metacall(QObject*,
QMetaObject::Call, int, void**)>,
relatedMetaObjects = 0x0, extradata = 0x0}}, d_ptr = {d = 0x559dc31354d0},
static staticQtMetaObject = {d = {
superdata = {direct = 0x0}, stringdata = 0x7f8a47fc4340
<qt_meta_stringdata_Qt>,
data = 0x7f8a47fc14a0 <qt_meta_data_Qt>, static_metacall = 0x0,
relatedMetaObjects = 0x0, extradata = 0x0}}},
static staticMetaObject = {d = {superdata = {direct = 0x7f8a4807b3a0
<QObject::staticMetaObject>},
stringdata = 0x7f8a47fbd540 <qt_meta_stringdata_QEventLoop>, data =
0x7f8a47fbd4e0 <qt_meta_data_QEventLoop>,
static_metacall = 0x7f8a47d5ddc0 <QEventLoop::qt_static_metacall(QObject*,
QMetaObject::Call, int, void**)>,
relatedMetaObjects = 0x0, extradata = 0x0}}}
returnCode = <optimized out>
#29 0x00007f8a48102bad in QGuiApplication::exec () at
kernel/qguiapplication.cpp:1863
No locals.
#30 0x0000559dbd49ae0d in main (argc=<optimized out>, argv=<optimized out>)
at
/usr/src/debug/maliit-keyboard-2.3.1-11.fc43.x86_64/src/keyboard/keyboard.cpp:40
app = {<QCoreApplication> = {<QObject> = {_vptr.QObject = 0x7f8a486f5260
<vtable for QGuiApplication+16>,
static staticMetaObject = {d = {superdata = {direct = 0x0},
stringdata = 0x7f8a47fc1380 <qt_meta_stringdata_QObject>, data = 0x7f8a47fc1260
<qt_meta_data_QObject>,
static_metacall = 0x7f8a47d93620 <QObject::qt_static_metacall(QObject*,
QMetaObject::Call, int, void**)>,
relatedMetaObjects = 0x0, extradata = 0x0}}, d_ptr = {d = 0x559dc2979380},
static staticQtMetaObject = {d = {
superdata = {direct = 0x0}, stringdata = 0x7f8a47fc4340
<qt_meta_stringdata_Qt>,
data = 0x7f8a47fc14a0 <qt_meta_data_Qt>, static_metacall = 0x0,
relatedMetaObjects = 0x0, extradata = 0x0}}},
static staticMetaObject = {d = {superdata = {direct = 0x7f8a4807b3a0
<QObject::staticMetaObject>},
stringdata = 0x7f8a47fbd740 <qt_meta_stringdata_QCoreApplication>,
data = 0x7f8a47fbd620 <qt_meta_data_QCoreApplication>,
static_metacall = 0x7f8a47d61040
<QCoreApplication::qt_static_metacall(QObject*, QMetaObject::Call, int,
void**)>, relatedMetaObjects = 0x0, extradata = 0x0}}, static self =
0x7ffc63151870}, static staticMetaObject = {d = {superdata = {
direct = 0x7f8a48083cc0 <QCoreApplication::staticMetaObject>},
stringdata = 0x7f8a4862c860 <qt_meta_stringdata_QGuiApplication>,
data = 0x7f8a4862c5e0 <qt_meta_data_QGuiApplication>,
static_metacall = 0x7f8a48103c40 <QGuiApplication::qt_static_metacall(QObject*,
QMetaObject::Call, int, void**)>,
relatedMetaObjects = 0x0, extradata = 0x0}}}
plugin = {<QObject> = {_vptr.QObject = 0x559dbd4d7000 <vtable for
MaliitKeyboardPlugin+16>, static staticMetaObject = {
d = {superdata = {direct = 0x0}, stringdata = 0x7f8a47fc1380
<qt_meta_stringdata_QObject>,
data = 0x7f8a47fc1260 <qt_meta_data_QObject>,
static_metacall = 0x7f8a47d93620 <QObject::qt_static_metacall(QObject*,
QMetaObject::Call, int, void**)>,
relatedMetaObjects = 0x0, extradata = 0x0}}, d_ptr = {d = 0x559dc2c4c350},
static staticQtMetaObject = {d = {
superdata = {direct = 0x0}, stringdata = 0x7f8a47fc4340
<qt_meta_stringdata_Qt>,
data = 0x7f8a47fc14a0 <qt_meta_data_Qt>, static_metacall = 0x0,
relatedMetaObjects = 0x0,
extradata = 0x0}}}, <Maliit::Plugins::InputMethodPlugin> = {
_vptr.InputMethodPlugin = 0x559dbd4d7088 <vtable for
MaliitKeyboardPlugin+152>}, static staticMetaObject = {d = {
superdata = {direct = 0x7f8a4807b3a0 <QObject::staticMetaObject>},
stringdata = 0x559dbd4cc440 <qt_meta_stringdata_MaliitKeyboardPlugin>,
data = 0x559dbd4c9b80 <qt_meta_data_MaliitKeyboardPlugin>,
static_metacall = 0x559dbd49b1c0
<MaliitKeyboardPlugin::qt_static_metacall(QObject*, QMetaObject::Call, int,
void**)>, relatedMetaObjects = 0x0, extradata = 0x0}}}
inputMethod = {<QObject> = {_vptr.QObject = 0x7f8a496a3cf0 <vtable for
Maliit::StandaloneInputMethod+16>,
static staticMetaObject = {d = {superdata = {direct = 0x0}, stringdata =
0x7f8a47fc1380 <qt_meta_stringdata_QObject>,
data = 0x7f8a47fc1260 <qt_meta_data_QObject>,
static_metacall = 0x7f8a47d93620 <QObject::qt_static_metacall(QObject*,
QMetaObject::Call, int, void**)>,
relatedMetaObjects = 0x0, extradata = 0x0}}, d_ptr = {d = 0x559dc2c62250},
static staticQtMetaObject = {d = {
superdata = {direct = 0x0}, stringdata = 0x7f8a47fc4340
<qt_meta_stringdata_Qt>,
data = 0x7f8a47fc14a0 <qt_meta_data_Qt>, static_metacall = 0x0,
relatedMetaObjects = 0x0, extradata = 0x0}}},
static staticMetaObject = {d = {superdata = {direct = 0x7f8a4807b3a0
<QObject::staticMetaObject>},
stringdata = 0x7f8a49683540 <qt_meta_stringdata_Maliit__StandaloneInputMethod>,
data = 0x7f8a49680440 <qt_meta_data_Maliit__StandaloneInputMethod>,
static_metacall = 0x7f8a495ff620
<Maliit::StandaloneInputMethod::qt_static_metacall(QObject*, QMetaObject::Call,
int,void**)>, relatedMetaObjects = 0x0, extradata = 0x0}}, mConnection =
std::unique_ptr<MInputContextConnection> = {
get() = 0x559dc2a24820}, mPlatform = {value = 0x559dc2c62390, d =
0x559dc2c623d0},
mWindowGroup = std::unique_ptr<Maliit::WindowGroup> = {get() = 0x559dc2c623f0},
mInputMethodHost = std::unique_ptr<Maliit::StandaloneInputMethodHost> = {get()
= 0x559dc2c625e0},
mInputMethod = std::unique_ptr<MAbstractInputMethod> = {get() =
0x559dc2c63370}}
--
You are receiving this mail because:
You are watching all bug changes.
