A NULL pointer dereference was found in the way kdelibs used to detect HTML page encoding based on input stream decoding. Opening a certain HTML page would lead to denial of service (konqueror crash).
This issue does NOT affect the versions of kdelibs package, as shipped with Red Hat Enterprise Linux 3, 4, or 5. This issue affects the versions of kdelibs package, as shipped with Fedora 10 and 11. Please fix.
Created attachment 357800 [details] Downloaded reproducer Scenario: -------- 1, tar xvzf 2008-chrome.tgz 2, konqueror chrome/Chrome\ SaveAs\ Poc.html
F10 kdelibs-4.2.4-6.fc10 gdb output: Core was generated by `konqueror --nocrashhandler Chrome SaveAs Poc.html'. Program terminated with signal 11, Segmentation fault. [New process 6268] #0 is16Bit (codec=0x0) at /usr/src/debug/kdelibs-4.2.4/kdecore/localization/kencodingdetector.cpp:62 62 switch (codec->mibEnum()) (gdb) info args codec = (class QTextCodec *) 0x0 (gdb) bt #0 is16Bit (codec=0x0) at /usr/src/debug/kdelibs-4.2.4/kdecore/localization/kencodingdetector.cpp:62 #1 0x0422634f in KEncodingDetector::analyze (this=0x9b8bda8, data=0x9b68ba0 "��<", len=12550) at /usr/src/debug/kdelibs-4.2.4/kdecore/localization/kencodingdetector.cpp:914 #2 0x04227b49 in KEncodingDetector::decodeWithBuffering (this=0x9b8bda8, data=0x9b68ba0 "��<", len=12550) at /usr/src/debug/kdelibs-4.2.4/kdecore/localization/kencodingdetector.cpp:802 ... Relevant function (kdelibs-4.2.4/kdecore/localization/kencodingdetector.cpp): static bool is16Bit(QTextCodec* codec) { switch (codec->mibEnum()) { case MibUtf16: case MibUtf16BE: case MibUtf16LE: case MibUcs2: return true; default: return false; } }
And relevant valgrind output: ----------------------------- ... ==6115== Invalid read of size 4 ==6115== at 0x487E726: kencodingprober::UnicodeGroupProber::HandleData(char const*, unsigned) (UnicodeGroupProber.cpp:86) ==6115== by 0x487F34E: KEncodingDetector::analyze(char const*, int) (CharDistribution.h:55) ==6115== by 0x4880B48: kencodingprober::nsMBCSGroupProber::~nsMBCSGroupProber() (nsMBCSGroupProber.cpp:58) ==6115== by 0xAB1334D: QVector<QString>::append(QString const&) (qstring.h:711) ==6115== by 0xAB14D02: KHTMLPartBrowserExtension::copy() (khtml_ext.cpp:209) ==6115== by 0xAB31536: KHTMLPart::qt_metacall(QMetaObject::Call, int, void**) (khtmlfind.cpp:505) ==6115== by 0x3ECD6B7: QList<QObjectPrivate::Connection>::detach_helper() (qlist.h:357) ==6115== by 0x3ECE341: QMetaObject::activate(QObject*, QMetaObject const*, int, void**) (qobjectcleanuphandler.cpp:116) ==6115== by 0x72B0D68: KIO::TransferJob::data(KIO::Job*, QByteArray const&) (qlist.h:667) ==6115== by 0x72B1671: KIO::storedHttpPost(QByteArray const&, KUrl const&, QFlags<KIO::JobFlag>) (job.cpp:1435) ==6115== by 0x72BB8E4: KIO::TransferJobPrivate::~TransferJobPrivate() (qmap.h:157) ==6115== by 0x3ECD6B7: QList<QObjectPrivate::Connection>::detach_helper() (qlist.h:357) ==6115== Address 0x0 is not stack'd, malloc'd or (recently) free'd KCrash: Application 'konqueror' crashing... sock_file=/root/.kde/socket-dhcp-lab164.englab.brq.redhat.com/kdeinit4__0
Looks like adding: if (!codec) return false; before the offending line should fix this.
it's fixed in kdelibs-4.3.0-6, for more infos please take a look at https://bugs.kde.org/199557
qscintilla-2.4-4.fc11, kdebindings-4.3.0-4.fc11.1, kdelibs-4.3.0-6.fc11, kdeartwork-4.3.0-2.fc11, kdebase-workspace-4.3.0-8.fc11, kdeedu-4.3.0-5.fc11, kdepim-4.3.0-4.fc11, kdeplasma-addons-4.3.0-8.fc11, libmsn-4.0-0.12.beta7.fc11, PyKDE-3.16.3-1.fc11, PyQt4-4.5.4-1.fc11, PyQt-3.18.1-1.fc11, sip-4.8.2-1.fc11, kdeaccessibility-4.3.0-3.fc11, kdeadmin-4.3.0-1.fc11, kdebase-4.3.0-1.fc11, kdegames-4.3.0-2.fc11, kdegraphics-4.3.0-1.fc11, kdelibs-experimental-4.3.0-1.fc11, kdemultimedia-4.3.0-1.fc11, kdenetwork-4.3.0-1.fc11, kdepim-runtime-4.3.0-1.fc11, kdepimlibs-4.3.0-2.fc11, kdesdk-4.3.0-1.fc11, kdetoys-4.3.0-1.fc11, kdeutils-4.3.0-3.fc11, kde-plasma-stasks-0.5.1-6.fc11, soprano-2.3.0-2.fc11, strigi-0.7.0-1.fc11, akonadi-1.2.0-1.fc11, kdegames3-3.5.10-6.fc11, kde-i18n-3.5.10-9.fc11, kde-l10n-4.3.0-1.fc11, oxygen-icon-theme-4.3.0-1.fc11, digikam-0.10.0-2.fc11, kdebase-runtime-4.3.0-4.fc11 has been pushed to the Fedora 11 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update qscintilla kdebindings kdelibs kdeartwork kdebase-workspace kdeedu kdepim kdeplasma-addons libmsn PyKDE PyQt4 PyQt sip kdeaccessibility kdeadmin kdebase kdegames kdegraphics kdelibs-experimental kdemultimedia kdenetwork kdepim-runtime kdepimlibs kdesdk kdetoys kdeutils kde-plasma-stasks soprano strigi akonadi kdegames3 kde-i18n kde-l10n oxygen-icon-theme digikam kdebase-runtime'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-8368
qscintilla-2.4-4.fc10, kdebase-workspace-4.3.0-9.fc10, kdeedu-4.3.0-6.fc10, kdelibs-4.3.0-6.fc10, kdeartwork-4.3.0-2.fc10, kdepim-4.3.0-4.fc10, kdeplasma-addons-4.3.0-8.fc10, qzion-0.4.0-1.fc10, qedje-0.4.0-1.fc10, libmsn-4.0-0.12.beta7.fc10, PyKDE-3.16.3-1.fc10, PyQt4-4.5.4-1.fc10, PyQt-3.18.1-1.fc10, sip-4.8.2-1.fc10, kdeaccessibility-4.3.0-3.fc10, kdeadmin-4.3.0-1.fc10, kdebase-4.3.0-1.fc10, kdegames-4.3.0-2.fc10, kdegraphics-4.3.0-1.fc10, kdelibs-experimental-4.3.0-1.fc10, kdemultimedia-4.3.0-1.fc10, kdenetwork-4.3.0-1.fc10, kdepim-runtime-4.3.0-1.fc10, kdepimlibs-4.3.0-2.fc10, kdesdk-4.3.0-1.fc10, kdetoys-4.3.0-1.fc10, kdeutils-4.3.0-3.fc10, kde-plasma-stasks-0.5.1-6.fc10, soprano-2.3.0-2.fc10, strigi-0.7.0-1.fc10, akonadi-1.2.0-1.fc10, kdegames3-3.5.10-6.fc10, kde-i18n-3.5.10-9.fc10, kde-l10n-4.3.0-1.fc10, oxygen-icon-theme-4.3.0-1.fc10, digikam-0.10.0-2.fc10, kdebase-runtime-4.3.0-4.fc10, kdebindings-4.3.0-4.fc10.1 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
qscintilla-2.4-4.fc11, kdebindings-4.3.0-4.fc11.1, kdebase-workspace-4.3.0-9.fc11, kdeedu-4.3.0-6.fc11, kdelibs-4.3.0-6.fc11, kdeartwork-4.3.0-2.fc11, kdepim-4.3.0-4.fc11, kdeplasma-addons-4.3.0-8.fc11, libmsn-4.0-0.12.beta7.fc11, PyKDE-3.16.3-1.fc11, PyQt4-4.5.4-1.fc11, PyQt-3.18.1-1.fc11, sip-4.8.2-1.fc11, kdeaccessibility-4.3.0-3.fc11, kdeadmin-4.3.0-1.fc11, kdebase-4.3.0-1.fc11, kdegames-4.3.0-2.fc11, kdegraphics-4.3.0-1.fc11, kdelibs-experimental-4.3.0-1.fc11, kdemultimedia-4.3.0-1.fc11, kdenetwork-4.3.0-1.fc11, kdepim-runtime-4.3.0-1.fc11, kdepimlibs-4.3.0-2.fc11, kdesdk-4.3.0-1.fc11, kdetoys-4.3.0-1.fc11, kdeutils-4.3.0-3.fc11, kde-plasma-stasks-0.5.1-6.fc11, soprano-2.3.0-2.fc11, strigi-0.7.0-1.fc11, akonadi-1.2.0-1.fc11, kdegames3-3.5.10-6.fc11, kde-i18n-3.5.10-9.fc11, kde-l10n-4.3.0-1.fc11, oxygen-icon-theme-4.3.0-1.fc11, digikam-0.10.0-2.fc11, kdebase-runtime-4.3.0-4.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.