https://bugs.kde.org/show_bug.cgi?id=377286
Bug ID: 377286
Summary: Git master - clip paint event leads to
heap-use-after-free (crash)
Product: kdenlive
Version: git-master
Platform: Compiled Sources
OS: Linux
Status: UNCONFIRMED
Severity: normal
Priority: NOR
Component: User Interface
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ---
The bug was triggered in a fairly populated timeline, with operations in
various order among :
- insert clips
- Razor clips
- Split audio
- Ungroup audio
- delete clips
- resize audio
- undo/redo the FULL stack (using the Undo History)
The crash is the following :
=================================================================
==25859==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000cf94b0
at pc 0x0000004dbce3 bp 0x7ffc79f606e0 sp 0x7ffc79f606d0
READ of size 8 at 0x611000cf94b0 thread T0
#0 0x4dbce2 in QListData::isEmpty() const
/usr/include/qt/QtCore/qlist.h:114
#1 0x55958d in QList<QVariant>::isEmpty() const
/usr/include/qt/QtCore/qlist.h:191
#2 0x66bfea in ClipItem::paint(QPainter*, QStyleOptionGraphicsItem const*,
QWidget*)
/home/nicolas/Documents/Developpement/Projets/kdenlive/src/timeline/clipitem.cpp:675
#3 0x7f10feb0de3e (/usr/lib/libQt5Widgets.so.5+0x469e3e)
#4 0x7f10feb0ecfe (/usr/lib/libQt5Widgets.so.5+0x46acfe)
#5 0x7f10feb0f3a9 (/usr/lib/libQt5Widgets.so.5+0x46b3a9)
#6 0x7f10feb31189 in QGraphicsView::paintEvent(QPaintEvent*)
(/usr/lib/libQt5Widgets.so.5+0x48d189)
#7 0x7f10fe83e9b7 in QWidget::event(QEvent*)
(/usr/lib/libQt5Widgets.so.5+0x19a9b7)
#8 0x7f10fe926e1d in QFrame::event(QEvent*)
(/usr/lib/libQt5Widgets.so.5+0x282e1d)
#9 0x7f10feb2fc9a in QGraphicsView::viewportEvent(QEvent*)
(/usr/lib/libQt5Widgets.so.5+0x48bc9a)
#10 0x7f10fb10c640 in
QCoreApplicationPrivate::sendThroughObjectEventFilters(QObject*, QEvent*)
(/usr/lib/libQt5Core.so.5+0x287640)
#11 0x7f10fe7f7334 in QApplicationPrivate::notify_helper(QObject*, QEvent*)
(/usr/lib/libQt5Widgets.so.5+0x153334)
#12 0x7f10fe7fead0 in QApplication::notify(QObject*, QEvent*)
(/usr/lib/libQt5Widgets.so.5+0x15aad0)
#13 0x7f10fb10c8df in QCoreApplication::notifyInternal2(QObject*, QEvent*)
(/usr/lib/libQt5Core.so.5+0x2878df)
#14 0x7f10fe837739 in QWidgetPrivate::sendPaintEvent(QRegion const&)
(/usr/lib/libQt5Widgets.so.5+0x193739)
#15 0x7f10fe837d88 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion
const&, QPoint const&, int, QPainter*, QWidgetBackingStore*)
(/usr/lib/libQt5Widgets.so.5+0x193d88)
#16 0x7f10fe80769d (/usr/lib/libQt5Widgets.so.5+0x16369d)
#17 0x7f10fe8078c6 (/usr/lib/libQt5Widgets.so.5+0x1638c6)
#18 0x7f10fe82673e in QWidgetPrivate::syncBackingStore()
(/usr/lib/libQt5Widgets.so.5+0x18273e)
#19 0x7f10fe83ea87 in QWidget::event(QEvent*)
(/usr/lib/libQt5Widgets.so.5+0x19aa87)
#20 0x7f10fe93dd4a in QMainWindow::event(QEvent*)
(/usr/lib/libQt5Widgets.so.5+0x299d4a)
#21 0x7f11029b8009 in KMainWindow::event(QEvent*)
(/usr/lib/libKF5XmlGui.so.5+0x8b009)
#22 0x7f1102a09a84 in KXmlGuiWindow::event(QEvent*)
(/usr/lib/libKF5XmlGui.so.5+0xdca84)
#23 0xd95e80 in MainWindow::event(QEvent*)
/home/nicolas/Documents/Developpement/Projets/kdenlive/src/mainwindow.cpp:757
#24 0x7f10fe7f735b in QApplicationPrivate::notify_helper(QObject*, QEvent*)
(/usr/lib/libQt5Widgets.so.5+0x15335b)
#25 0x7f10fe7fead0 in QApplication::notify(QObject*, QEvent*)
(/usr/lib/libQt5Widgets.so.5+0x15aad0)
#26 0x7f10fb10c8df in QCoreApplication::notifyInternal2(QObject*, QEvent*)
(/usr/lib/libQt5Core.so.5+0x2878df)
#27 0x7f10fb10f06c in QCoreApplicationPrivate::sendPostedEvents(QObject*,
int, QThreadData*) (/usr/lib/libQt5Core.so.5+0x28a06c)
#28 0x7f10feb01301 (/usr/lib/libQt5Widgets.so.5+0x45d301)
#29 0x7f10feb06b58 (/usr/lib/libQt5Widgets.so.5+0x462b58)
#30 0x7f10fb138f28 in QObject::event(QEvent*)
(/usr/lib/libQt5Core.so.5+0x2b3f28)
#31 0x7f10feb136ea in QGraphicsScene::event(QEvent*)
(/usr/lib/libQt5Widgets.so.5+0x46f6ea)
#32 0x7f10fe7f735b in QApplicationPrivate::notify_helper(QObject*, QEvent*)
(/usr/lib/libQt5Widgets.so.5+0x15335b)
#33 0x7f10fe7fead0 in QApplication::notify(QObject*, QEvent*)
(/usr/lib/libQt5Widgets.so.5+0x15aad0)
#34 0x7f10fb10c8df in QCoreApplication::notifyInternal2(QObject*, QEvent*)
(/usr/lib/libQt5Core.so.5+0x2878df)
#35 0x7f10fb10f06c in QCoreApplicationPrivate::sendPostedEvents(QObject*,
int, QThreadData*) (/usr/lib/libQt5Core.so.5+0x28a06c)
#36 0x7f10fb160eb2 (/usr/lib/libQt5Core.so.5+0x2dbeb2)
#37 0x7f10f42e1586 in g_main_context_dispatch
(/usr/lib/libglib-2.0.so.0+0x4a586)
#38 0x7f10f42e17ef (/usr/lib/libglib-2.0.so.0+0x4a7ef)
#39 0x7f10f42e189b in g_main_context_iteration
(/usr/lib/libglib-2.0.so.0+0x4a89b)
#40 0x7f10fb1612be in
QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>)
(/usr/lib/libQt5Core.so.5+0x2dc2be)
#41 0x7f10fb10ad39 in
QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>)
(/usr/lib/libQt5Core.so.5+0x285d39)
#42 0x7f10fb11323b in QCoreApplication::exec()
(/usr/lib/libQt5Core.so.5+0x28e23b)
#43 0xd84fd5 in main
/home/nicolas/Documents/Developpement/Projets/kdenlive/src/main.cpp:153
#44 0x7f10fa264290 in __libc_start_main (/usr/lib/libc.so.6+0x20290)
#45 0x498379 in _start
(/home/nicolas/Documents/Developpement/Projets/kdenlive/build/src/kdenlive+0x498379)
0x611000cf94b0 is located 112 bytes inside of 240-byte region
[0x611000cf9440,0x611000cf9530)
freed by thread T0 here:
#0 0x7f11065e1500 in operator delete(void*)
/build/gcc/src/gcc/libsanitizer/asan/asan_new_delete.cc:92
#1 0xd36471 in ProjectClip::~ProjectClip()
/home/nicolas/Documents/Developpement/Projets/kdenlive/src/bin/projectclip.cpp:114
#2 0xced6ea in Bin::deleteClip(QString const&)
/home/nicolas/Documents/Developpement/Projets/kdenlive/src/bin/bin.cpp:978
#3 0xd582cf in AddClipCommand::undo()
/home/nicolas/Documents/Developpement/Projets/kdenlive/src/bin/bincommands.cpp:326
#4 0x7f10feb671cc in QUndoCommand::undo()
(/usr/lib/libQt5Widgets.so.5+0x4c31cc)
previously allocated by thread T0 here:
#0 0x7f11065e0e80 in operator new(unsigned long)
/build/gcc/src/gcc/libsanitizer/asan/asan_new_delete.cc:60
#1 0xcf387c in Bin::createClip(QDomElement const&)
/home/nicolas/Documents/Developpement/Projets/kdenlive/src/bin/bin.cpp:1339
#2 0xd1be43 in Bin::addClip(QDomElement, QString const&)
/home/nicolas/Documents/Developpement/Projets/kdenlive/src/bin/bin.cpp:3970
#3 0xd583ed in AddClipCommand::redo()
/home/nicolas/Documents/Developpement/Projets/kdenlive/src/bin/bincommands.cpp:335
#4 0x7f10feb6714d in QUndoCommand::redo()
(/usr/lib/libQt5Widgets.so.5+0x4c314d)
SUMMARY: AddressSanitizer: heap-use-after-free
/usr/include/qt/QtCore/qlist.h:114 in QListData::isEmpty() const
Shadow bytes around the buggy address:
0x0c2280197240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2280197250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2280197260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2280197270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2280197280: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c2280197290: fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd
0x0c22801972a0: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa
0x0c22801972b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c22801972c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c22801972d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c22801972e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==25859==ABORTING
It seems that the binController is being deleted by the redo while a Paint
event of the clip is executed (race condition).
--
You are receiving this mail because:
You are watching all bug changes.
