Bug 518016 - kdelibs: NULL pointer dereference in i18n input stream decoder
Summary: kdelibs: NULL pointer dereference in i18n input stream decoder
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: kdelibs
Version: 10
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Than Ngo
QA Contact: Fedora Extras Quality Assurance
URL: http://www.milw0rm.com/exploits/6367
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-08-18 13:42 UTC by Jan Lieskovsky
Modified: 2014-08-29 07:13 UTC (History)
10 users (show)

Fixed In Version: 2.4-4.fc11
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-08-25 04:45:08 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
Downloaded reproducer (1.47 KB, application/x-gzip)
2009-08-18 13:50 UTC, Jan Lieskovsky
no flags Details


Links
System ID Private Priority Status Summary Last Updated
KDE Software Compilation 199557 0 None None None Never

Description Jan Lieskovsky 2009-08-18 13:42:27 UTC
A NULL pointer dereference was found in the way kdelibs used to detect
HTML page encoding based on input stream decoding. Opening a certain HTML
page would lead to denial of service (konqueror crash).

Comment 2 Jan Lieskovsky 2009-08-18 13:46:51 UTC
This issue does NOT affect the versions of kdelibs package, as shipped
with Red Hat Enterprise Linux 3, 4, or 5.

This issue affects the versions of kdelibs package, as shipped with
Fedora 10 and 11.

Please fix.

Comment 3 Jan Lieskovsky 2009-08-18 13:50:16 UTC
Created attachment 357800 [details]
Downloaded reproducer

Scenario:
--------
1, tar xvzf 2008-chrome.tgz
2, konqueror chrome/Chrome\ SaveAs\ Poc.html

Comment 4 Jan Lieskovsky 2009-08-18 13:55:41 UTC
F10 kdelibs-4.2.4-6.fc10 gdb output:

Core was generated by `konqueror --nocrashhandler Chrome SaveAs Poc.html'.
Program terminated with signal 11, Segmentation fault.
[New process 6268]
#0  is16Bit (codec=0x0) at /usr/src/debug/kdelibs-4.2.4/kdecore/localization/kencodingdetector.cpp:62
62	    switch (codec->mibEnum())
(gdb) info args
codec = (class QTextCodec *) 0x0
(gdb) bt
#0  is16Bit (codec=0x0) at /usr/src/debug/kdelibs-4.2.4/kdecore/localization/kencodingdetector.cpp:62
#1  0x0422634f in KEncodingDetector::analyze (this=0x9b8bda8, data=0x9b68ba0 "��<", len=12550)
    at /usr/src/debug/kdelibs-4.2.4/kdecore/localization/kencodingdetector.cpp:914
#2  0x04227b49 in KEncodingDetector::decodeWithBuffering (this=0x9b8bda8, data=0x9b68ba0 "��<", len=12550)
    at /usr/src/debug/kdelibs-4.2.4/kdecore/localization/kencodingdetector.cpp:802
...

Relevant function (kdelibs-4.2.4/kdecore/localization/kencodingdetector.cpp):

static bool is16Bit(QTextCodec* codec)
{
    switch (codec->mibEnum())
    {
    case MibUtf16:
    case MibUtf16BE:
    case MibUtf16LE:
    case MibUcs2:
        return true;
    default:
        return false;
    }
}

Comment 5 Jan Lieskovsky 2009-08-18 13:57:06 UTC
And relevant valgrind output:
-----------------------------
...
==6115== Invalid read of size 4
==6115==    at 0x487E726: kencodingprober::UnicodeGroupProber::HandleData(char const*, unsigned) (UnicodeGroupProber.cpp:86)
==6115==    by 0x487F34E: KEncodingDetector::analyze(char const*, int) (CharDistribution.h:55)
==6115==    by 0x4880B48: kencodingprober::nsMBCSGroupProber::~nsMBCSGroupProber() (nsMBCSGroupProber.cpp:58)
==6115==    by 0xAB1334D: QVector<QString>::append(QString const&) (qstring.h:711)
==6115==    by 0xAB14D02: KHTMLPartBrowserExtension::copy() (khtml_ext.cpp:209)
==6115==    by 0xAB31536: KHTMLPart::qt_metacall(QMetaObject::Call, int, void**) (khtmlfind.cpp:505)
==6115==    by 0x3ECD6B7: QList<QObjectPrivate::Connection>::detach_helper() (qlist.h:357)
==6115==    by 0x3ECE341: QMetaObject::activate(QObject*, QMetaObject const*, int, void**) (qobjectcleanuphandler.cpp:116)
==6115==    by 0x72B0D68: KIO::TransferJob::data(KIO::Job*, QByteArray const&) (qlist.h:667)
==6115==    by 0x72B1671: KIO::storedHttpPost(QByteArray const&, KUrl const&, QFlags<KIO::JobFlag>) (job.cpp:1435)
==6115==    by 0x72BB8E4: KIO::TransferJobPrivate::~TransferJobPrivate() (qmap.h:157)
==6115==    by 0x3ECD6B7: QList<QObjectPrivate::Connection>::detach_helper() (qlist.h:357)
==6115==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
KCrash: Application 'konqueror' crashing...
sock_file=/root/.kde/socket-dhcp-lab164.englab.brq.redhat.com/kdeinit4__0

Comment 7 Kevin Kofler 2009-08-18 15:05:08 UTC
Looks like adding:
    if (!codec)
        return false;
before the offending line should fix this.

Comment 8 Than Ngo 2009-08-20 13:50:15 UTC
it's fixed in kdelibs-4.3.0-6, for more infos please take a look at
https://bugs.kde.org/199557

Comment 9 Fedora Update System 2009-08-22 00:57:48 UTC
qscintilla-2.4-4.fc11, kdebindings-4.3.0-4.fc11.1, kdelibs-4.3.0-6.fc11, kdeartwork-4.3.0-2.fc11, kdebase-workspace-4.3.0-8.fc11, kdeedu-4.3.0-5.fc11, kdepim-4.3.0-4.fc11, kdeplasma-addons-4.3.0-8.fc11, libmsn-4.0-0.12.beta7.fc11, PyKDE-3.16.3-1.fc11, PyQt4-4.5.4-1.fc11, PyQt-3.18.1-1.fc11, sip-4.8.2-1.fc11, kdeaccessibility-4.3.0-3.fc11, kdeadmin-4.3.0-1.fc11, kdebase-4.3.0-1.fc11, kdegames-4.3.0-2.fc11, kdegraphics-4.3.0-1.fc11, kdelibs-experimental-4.3.0-1.fc11, kdemultimedia-4.3.0-1.fc11, kdenetwork-4.3.0-1.fc11, kdepim-runtime-4.3.0-1.fc11, kdepimlibs-4.3.0-2.fc11, kdesdk-4.3.0-1.fc11, kdetoys-4.3.0-1.fc11, kdeutils-4.3.0-3.fc11, kde-plasma-stasks-0.5.1-6.fc11, soprano-2.3.0-2.fc11, strigi-0.7.0-1.fc11, akonadi-1.2.0-1.fc11, kdegames3-3.5.10-6.fc11, kde-i18n-3.5.10-9.fc11, kde-l10n-4.3.0-1.fc11, oxygen-icon-theme-4.3.0-1.fc11, digikam-0.10.0-2.fc11, kdebase-runtime-4.3.0-4.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update qscintilla kdebindings kdelibs kdeartwork kdebase-workspace kdeedu kdepim kdeplasma-addons libmsn PyKDE PyQt4 PyQt sip kdeaccessibility kdeadmin kdebase kdegames kdegraphics kdelibs-experimental kdemultimedia kdenetwork kdepim-runtime kdepimlibs kdesdk kdetoys kdeutils kde-plasma-stasks soprano strigi akonadi kdegames3 kde-i18n kde-l10n oxygen-icon-theme digikam kdebase-runtime'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-8368

Comment 10 Fedora Update System 2009-08-25 04:34:28 UTC
qscintilla-2.4-4.fc10, kdebase-workspace-4.3.0-9.fc10, kdeedu-4.3.0-6.fc10, kdelibs-4.3.0-6.fc10, kdeartwork-4.3.0-2.fc10, kdepim-4.3.0-4.fc10, kdeplasma-addons-4.3.0-8.fc10, qzion-0.4.0-1.fc10, qedje-0.4.0-1.fc10, libmsn-4.0-0.12.beta7.fc10, PyKDE-3.16.3-1.fc10, PyQt4-4.5.4-1.fc10, PyQt-3.18.1-1.fc10, sip-4.8.2-1.fc10, kdeaccessibility-4.3.0-3.fc10, kdeadmin-4.3.0-1.fc10, kdebase-4.3.0-1.fc10, kdegames-4.3.0-2.fc10, kdegraphics-4.3.0-1.fc10, kdelibs-experimental-4.3.0-1.fc10, kdemultimedia-4.3.0-1.fc10, kdenetwork-4.3.0-1.fc10, kdepim-runtime-4.3.0-1.fc10, kdepimlibs-4.3.0-2.fc10, kdesdk-4.3.0-1.fc10, kdetoys-4.3.0-1.fc10, kdeutils-4.3.0-3.fc10, kde-plasma-stasks-0.5.1-6.fc10, soprano-2.3.0-2.fc10, strigi-0.7.0-1.fc10, akonadi-1.2.0-1.fc10, kdegames3-3.5.10-6.fc10, kde-i18n-3.5.10-9.fc10, kde-l10n-4.3.0-1.fc10, oxygen-icon-theme-4.3.0-1.fc10, digikam-0.10.0-2.fc10, kdebase-runtime-4.3.0-4.fc10, kdebindings-4.3.0-4.fc10.1 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2009-08-25 04:44:03 UTC
qscintilla-2.4-4.fc11, kdebindings-4.3.0-4.fc11.1, kdebase-workspace-4.3.0-9.fc11, kdeedu-4.3.0-6.fc11, kdelibs-4.3.0-6.fc11, kdeartwork-4.3.0-2.fc11, kdepim-4.3.0-4.fc11, kdeplasma-addons-4.3.0-8.fc11, libmsn-4.0-0.12.beta7.fc11, PyKDE-3.16.3-1.fc11, PyQt4-4.5.4-1.fc11, PyQt-3.18.1-1.fc11, sip-4.8.2-1.fc11, kdeaccessibility-4.3.0-3.fc11, kdeadmin-4.3.0-1.fc11, kdebase-4.3.0-1.fc11, kdegames-4.3.0-2.fc11, kdegraphics-4.3.0-1.fc11, kdelibs-experimental-4.3.0-1.fc11, kdemultimedia-4.3.0-1.fc11, kdenetwork-4.3.0-1.fc11, kdepim-runtime-4.3.0-1.fc11, kdepimlibs-4.3.0-2.fc11, kdesdk-4.3.0-1.fc11, kdetoys-4.3.0-1.fc11, kdeutils-4.3.0-3.fc11, kde-plasma-stasks-0.5.1-6.fc11, soprano-2.3.0-2.fc11, strigi-0.7.0-1.fc11, akonadi-1.2.0-1.fc11, kdegames3-3.5.10-6.fc11, kde-i18n-3.5.10-9.fc11, kde-l10n-4.3.0-1.fc11, oxygen-icon-theme-4.3.0-1.fc11, digikam-0.10.0-2.fc11, kdebase-runtime-4.3.0-4.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.