https://bugs.kde.org/show_bug.cgi?id=438815
Bug ID: 438815
Summary: Crash when the stride != texture width
Product: krfb
Version: unspecified
Platform: unspecified
OS: Linux
Status: REPORTED
Severity: normal
Priority: NOR
Component: general
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ---
I get this crash when doing the memcpy(), tried debugging it didn't see what's
exactly wrong. I know it only happens on my rotated monitor (1920x1200) where
the stride != width.
/home/apol/build-devel/frameworks/krfb/bin>
/home/apol/build-devel/frameworks/krfb/bin/krfb
Initializing D-Bus connectivity with XDG Desktop Portal
DBus session created:
"/org/freedesktop/portal/desktop/request/1_279/krfb1275605531"
Initializing Pipewire connectivity
Stream state changed: connecting
Stream state changed: paused
Stream format changed
Stream state changed: streaming
=================================================================
==20594==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x7f4b80cf7800 at pc 0x55e2ab8b8f7c bp 0x7f4b81550930 sp 0x7f4b815500e0
READ of size 4800 at 0x7f4b80cf7800 thread T65
#0 0x55e2ab8b8f7b in __asan_memcpy
(/home/apol/build-devel/frameworks/krfb/bin/krfb+0x163f7b)
#1 0x7f4bb6a4f28f in PWFrameBuffer::Private::handleFrame(pw_buffer*)
/home/apol/devel/frameworks/krfb/framebuffers/pipewire/pw_framebuffer.cpp:815:9
#2 0x7f4bb6a3a90c in PWFrameBuffer::Private::onStreamProcess(void*)
/home/apol/devel/frameworks/krfb/framebuffers/pipewire/pw_framebuffer.cpp:636:8
#3 0x7f4bb67c0547 (/usr/lib/libpipewire-0.3.so.0+0x6c547)
#4 0x7f4b81eead65 (/usr/lib/spa-0.2/support/libspa-support.so+0x6d65)
#5 0x7f4b81ee9c65 (/usr/lib/spa-0.2/support/libspa-support.so+0x5c65)
#6 0x7f4b81eec11a (/usr/lib/spa-0.2/support/libspa-support.so+0x811a)
#7 0x7f4bb67c28f5 (/usr/lib/libpipewire-0.3.so.0+0x6e8f5)
#8 0x7f4bc005c258 in start_thread (/usr/lib/libpthread.so.0+0x9258)
#9 0x7f4bbff585e2 in clone (/usr/lib/libc.so.6+0xfe5e2)
0x7f4b80cf7800 is located 0 bytes to the right of 9216000-byte region
[0x7f4b8042d800,0x7f4b80cf7800)
allocated by thread T65 here:
#0 0x55e2ab8ba169 in malloc
(/home/apol/build-devel/frameworks/krfb/bin/krfb+0x165169)
#1 0x7f4bb6a4b6ed in PWFrameBuffer::Private::handleFrame(pw_buffer*)
/home/apol/devel/frameworks/krfb/framebuffers/pipewire/pw_framebuffer.cpp:707:37
#2 0x7f4bb6a3a90c in PWFrameBuffer::Private::onStreamProcess(void*)
/home/apol/devel/frameworks/krfb/framebuffers/pipewire/pw_framebuffer.cpp:636:8
#3 0x7f4bb67c0547 (/usr/lib/libpipewire-0.3.so.0+0x6c547)
Thread T65 created by T0 here:
#0 0x55e2ab829454 in pthread_create
(/home/apol/build-devel/frameworks/krfb/bin/krfb+0xd4454)
#1 0x7f4bb67c2a47 in pw_thread_loop_start
(/usr/lib/libpipewire-0.3.so.0+0x6ea47)
#2 0x7f4bb6a4524a in
PWFrameBuffer::Private::handleRemoteDesktopStarted(unsigned int&, QMap<QString,
QVariant>&)
/home/apol/devel/frameworks/krfb/framebuffers/pipewire/pw_framebuffer.cpp:477:5
#3 0x7f4bb6a4403f in PWFrameBuffer::handleXdpRemoteDesktopStarted(unsigned
int, QMap<QString, QVariant>)
/home/apol/devel/frameworks/krfb/framebuffers/pipewire/pw_framebuffer.cpp:431:8
#4 0x7f4bb6a30e4d in PWFrameBuffer::qt_static_metacall(QObject*,
QMetaObject::Call, int, void**)
/home/apol/build-devel/frameworks/krfb/framebuffers/pipewire/krfb_framebuffer_pw_autogen/EWIEGA46WW/moc_pw_framebuffer.cpp:89:21
#5 0x7f4bb6a316fa in PWFrameBuffer::qt_metacall(QMetaObject::Call, int,
void**)
/home/apol/build-devel/frameworks/krfb/framebuffers/pipewire/krfb_framebuffer_pw_autogen/EWIEGA46WW/moc_pw_framebuffer.cpp:125:13
#6 0x7f4bc097c8ca in QDBusConnectionPrivate::deliverCall(QObject*, int,
QDBusMessage const&, QVector<int> const&, int)
/home/apol/devel/frameworks/qt5/qtbase/src/dbus/qdbusintegrator.cpp:1001:35
#7 0x607000022fdf (<unknown module>)
SUMMARY: AddressSanitizer: heap-buffer-overflow
(/home/apol/build-devel/frameworks/krfb/bin/krfb+0x163f7b) in __asan_memcpy
Shadow bytes around the buggy address:
0x0fe9f0196eb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe9f0196ec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe9f0196ed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe9f0196ee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe9f0196ef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fe9f0196f00:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe9f0196f10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe9f0196f20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe9f0196f30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe9f0196f40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe9f0196f50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==20594==ABORTING
*** Failure: Exit code 1 ***
--
You are receiving this mail because:
You are watching all bug changes.
