Bah.  The same bug's there in 0.11.0-13.fc12.  The dump is at the bottom of this comment, and here's some analysis.

0x4c66e5 is in vnc_disconnect_finish (vnc.c:917).
912     static void vnc_disconnect_finish(VncState *vs)
913     {
914         qemu_del_timer(vs->timer);
915         qemu_free_timer(vs->timer);
916         if (vs->input.buffer) qemu_free(vs->input.buffer);
917         if (vs->output.buffer) qemu_free(vs->output.buffer);
918     #ifdef CONFIG_VNC_TLS
919         vnc_tls_client_cleanup(vs);
920     #endif /* CONFIG_VNC_TLS */
921     #ifdef CONFIG_VNC_SASL

I think that vnc_disconnect_finish was a tail call from vnc_client_read.

I trigger this by connecting and disconnecting using TigerVNC on Windows as a client, with -vga std and 1400x1050 resolution in a Windows 7 guest.

======= Backtrace: =========
/lib64/libc.so.6[0x3d09c74a76]
qemu-kvm[0x4c66e5]
qemu-kvm[0x40a6c7]
qemu-kvm[0x4231aa]
qemu-kvm[0x40f157]
/lib64/libc.so.6(__libc_start_main+0xfd)[0x3d09c1eb1d]
qemu-kvm[0x408479]
======= Memory map: ========
00400000-0062b000 r-xp 00000000 fd:04 83694                              /usr/bin/qemu-kvm
0082b000-00833000 rw-p 0022b000 fd:04 83694                              /usr/bin/qemu-kvm
00833000-00c3f000 rw-p 00000000 00:00 0 
01902000-02f56000 rw-p 00000000 00:00 0                                  [heap]
3767e00000-3767e04000 r-xp 00000000 fd:04 31178                          /lib64/libuuid.so.1.3.0
3767e04000-3768003000 ---p 00004000 fd:04 31178                          /lib64/libuuid.so.1.3.0
3768003000-3768004000 rw-p 00003000 fd:04 31178                          /lib64/libuuid.so.1.3.0
3768200000-3768207000 r-xp 00000000 fd:04 40706                          /usr/lib64/libSM.so.6.0.0
3768207000-3768407000 ---p 00007000 fd:04 40706                          /usr/lib64/libSM.so.6.0.0
3768407000-3768408000 rw-p 00007000 fd:04 40706                          /usr/lib64/libSM.so.6.0.0
3768600000-3768603000 r-xp 00000000 fd:04 19455                          /usr/lib64/libpulse-simple.so.0.0.3
3768603000-3768803000 ---p 00003000 fd:04 19455                          /usr/lib64/libpulse-simple.so.0.0.3
3768803000-3768804000 rw-p 00003000 fd:04 19455                          /usr/lib64/libpulse-simple.so.0.0.3
376b200000-376b241000 r-xp 00000000 fd:04 40722                          /usr/lib64/libpulse.so.0.12.2
376b241000-376b440000 ---p 00041000 fd:04 40722                          /usr/lib64/libpulse.so.0.12.2
376b440000-376b442000 rw-p 00040000 fd:04 40722                          /usr/lib64/libpulse.so.0.12.2
376ba00000-376ba4e000 r-xp 00000000 fd:04 40721                          /usr/lib64/libpulsecommon-0.9.21.so
376ba4e000-376bc4d000 ---p 0004e000 fd:04 40721                          /usr/lib64/libpulsecommon-0.9.21.so
376bc4d000-376bc4f000 rw-p 0004d000 fd:04 40721                          /usr/lib64/libpulsecommon-0.9.21.so
3921a00000-3921a2d000 r-xp 00000000 fd:04 123524                         /usr/lib64/libvorbis.so.0.4.3
3921a2d000-3921c2c000 ---p 0002d000 fd:04 123524                         /usr/lib64/libvorbis.so.0.4.3
3921c2c000-3921c2d000 rw-p 0002c000 fd:04 123524                         /usr/lib64/libvorbis.so.0.4.3
3921e00000-3921fc3000 r-xp 00000000 fd:04 8263                           /usr/lib64/libvorbisenc.so.2.0.6
3921fc3000-39221c3000 ---p 001c3000 fd:04 8263                           /usr/lib64/libvorbisenc.so.2.0.6
39221c3000-39221da000 rw-p 001c3000 fd:04 8263                           /usr/lib64/libvorbisenc.so.2.0.6
3922200000-392225e000 r-xp 00000000 fd:04 111135                         /usr/lib64/libsndfile.so.1.0.20
392225e000-392245d000 ---p 0005e000 fd:04 111135                         /usr/lib64/libsndfile.so.1.0.20
392245d000-3922460000 rw-p 0005d000 fd:04 111135                         /usr/lib64/libsndfile.so.1.0.20
3922460000-3922464000 rw-p 00000000 00:00 0 
3aabc00000-3aabc16000 r-xp 00000000 fd:04 10986                          /lib64/libgcc_s-4.4.3-20100127.so.1
3aabc16000-3aabe15000 ---p 00016000 fd:04 10986                          /lib64/libgcc_s-4.4.3-20100127.so.1
3aabe15000-3aabe16000 rw-p 00015000 fd:04 10986                          /lib64/libgcc_s-4.4.3-20100127.so.1
3cf9c00000-3cf9d39000 r-xp 00000000 fd:04 16952                          /usr/lib64/libX11.so.6.3.0
3cf9d39000-3cf9f39000 ---p 00139000 fd:04 16952                          /usr/lib64/libX11.so.6.3.0
3cf9f39000-3cf9f3f000 rw-p 00139000 fd:04 16952                          /usr/lib64/libX11.so.6.3.0
3cfa000000-3cfa01b000 r-xp 00000000 fd:04 16685                          /usr/lib64/libxcb.so.1.1.0
3cfa01b000-3cfa21a000 ---p 0001b000 fd:04 16685                          /usr/lib64/libxcb.so.1.1.0
3cfa21a000-3cfa21b000 rw-p 0001a000 fd:04 16685                          /usr/lib64/libxcb.so.1.1.0
3cfa800000-3cfa811000 r-xp 00000000 fd:04 17050                          /usr/lib64/libXext.so.6.4.0
3cfa811000-3cfaa11000 ---p 00011000 fd:04 17050                          /usr/lib64/libXext.so.6.4.0
3cfaa11000-3cfaa12000 rw-p 00011000 fd:04 17050                          /usr/lib64/libXext.so.6.4.0
3cfac00000-3cfac0b000 r-xp 00000000 fd:04 79727                          /usr/lib64/libpci.so.3.1.6
3cfac0b000-3cfae0b000 ---p 0000b000 fd:04 79727                          /usr/lib64/libpci.so.3.1.6
3cfae0b000-3cfae0c000 rw-p 0000b000 fd:04 79727                          /usr/lib64/libpci.so.3.1.6
3cfb800000-3cfb80f000 r-xp 00000000 fd:04 22619                          /usr/lib64/libXi.so.6.1.0
3cfb80f000-3cfba0e000 ---p 0000f000 fd:04 22619                          /usr/lib64/libXi.so.6.1.0
3cfba0e000-3cfba0f000 rw-p 0000e000 fd:04 22619                          /usr/lib64/libXi.so.6.1.0
3cff600000-3cff605000 r-xp 00000000 fd:04 31066                          /usr/lib64/libXtst.so.6.1.0
3cff605000-3cff805000 ---p 00005000 fd:04 31066                          /usr/lib64/libXtst.so.6.1.0
3cff805000-3cff806000 rw-p 00005000 fd:04 31066                          /usr/lib64/libXtst.so.6.1.0
3d04000000-3d040e3000 r-xp 00000000 fd:04 16757                          /lib64/libasound.so.2.0.0
3d040e3000-3d042e2000 ---p 000e3000 fd:04 16757                          /lib64/libasound.so.2.0.0
3d042e2000-3d042ea000 rw-p 000e2000 fd:04 16757                          /lib64/libasound.so.2.0.0
3d09800000-3d0981e000 r-xp 00000000 fd:04 8327                           /lib64/ld-2.11.1.so
3d09a1d000-3d09a1e000 r--p 0001d000 fd:04 8327                           /lib64/ld-2.11.1.so
3d09a1e000-3d09a1f000 rw-p 0001e000 fd:04 8327                           /lib64/ld-2.11.1.so
3d09a1f000-3d09a20000 rw-p 00000000 00:00 0 
3d09c00000-3d09d6f000 r-xp 00000000 fd:04 8420                           /lib64/libc-2.11.1.so
3d09d6f000-3d09f6f000 ---p 0016f000 fd:04 8420                           /lib64/libc-2.11.1.so
3d09f6f000-3d09f73000 r--p 0016f000 fd:04 8420                           /lib64/libc-2.11.1.so
3d09f73000-3d09f74000 rw-p 00173000 fd:04 8420                           /lib64/libc-2.11.1.so
3d09f74000-3d09f79000 rw-p 00000000 00:00 0 
3d0a000000-3d0a083000 r-xp 00000000 fd:04 14203                          /lib64/libm-2.11.1.so
3d0a083000-3d0a282000 ---p 00083000 fd:04 14203                          /lib64/libm-2.11.1.so
3d0a282000-3d0a283000 r--p 00082000 fd:04 14203                          /lib64/libm-2.11.1.so
3d0a283000-3d0a284000 rw-p 00083000 fd:04 14203                          /lib64/libm-2.11.1.so
3d0a400000-3d0a402000 r-xp 00000000 fd:04 12866                          /lib64/libdl-2.11.1.so[1]+

Is this still happening for you with qemu-0.12.3 in either the F-12 updates-testing or virt-preview repositories, or in F-13?

The bug is there in Avi's qemu-kvm.git from a few minutes ago.  I won't be able to test the other repo packages, but I would imagine they're identical to 0.12.3-7.fc13 in koji, which is where I originally saw the bug.

What I meant to say was: I won't be able to test other packages for awhile because yum is buy with other stuff right now.

I've reproduced the crash in updates-testing.

$ rpm -qa |grep qemu
qemu-system-x86-0.12.3-2.fc12.x86_64
gpxe-roms-qemu-0.9.9-1.20091018git.fc12.noarch
qemu-spice-83-2.fc12.x86_64
qemu-common-0.12.3-2.fc12.x86_64
qemu-kvm-0.12.3-2.fc12.x86_64


Changing the screen resolution seems to be the best way to trigger this.

Here's the crash from upstream qemu-kvm:

*** glibc detected *** /home/luto/apps/qemu-kvm/x86_64-softmmu/qemu-system-x86_64: double free or corruption (!pre
v): 0x00000000019d8570 ***


backtrace:

#3  0x00007ffff722fa56 in malloc_printerr () from /lib64/libc.so.6
#4  0x00000000004a3c7d in vnc_dpy_resize (ds=0x1939ed0) at vnc.c:525
#5  0x0000000000582437 in dpy_resize (opaque=0x1929318) at /home/luto/apps/qemu-kvm/console.h:224
#6  vga_draw_graphic (opaque=0x1929318) at /home/luto/apps/qemu-kvm/hw/vga.c:1725
#7  vga_update_display (opaque=0x1929318) at /home/luto/apps/qemu-kvm/hw/vga.c:1937
#8  0x00000000004a5ed4 in vnc_refresh (opaque=0x197a410) at vnc.c:2362
#9  0x00000000004a882e in qemu_run_timers (clock=<value optimized out>) at qemu-timer.c:579
#10 0x00000000004a88a8 in qemu_run_all_timers () at qemu-timer.c:711
#11 0x0000000000418739 in main_loop_wait (nonblocking=<value optimized out>)
    at /home/luto/apps/qemu-kvm/vl.c:2027
#12 0x000000000042a757 in kvm_main_loop () at /home/luto/apps/qemu-kvm/qemu-kvm.c:2033
#13 0x000000000041c659 in main_loop (argc=<value optimized out>, argv=<value optimized out>, 
    envp=<value optimized out>) at /home/luto/apps/qemu-kvm/vl.c:2055
#14 main (argc=<value optimized out>, argv=<value optimized out>, envp=<value optimized out>)
    at /home/luto/apps/qemu-kvm/vl.c:4010

The crash was at qemu_free(vd->server->data) in vnc_dpy_resize.

[and clearing needinfo]

Thanks for the detailed report. Lets see if we can track this down.

static void vnc_dpy_resize(DisplayState *ds)
{
    int size_changed;
    VncDisplay *vd = ds->opaque;
    VncState *vs;

    /* server surface */
    if (!vd->server)
        vd->server = qemu_mallocz(sizeof(*vd->server));
    if (vd->server->data)
        qemu_free(vd->server->data);

    ....

It's possible that vd->server->data might be freed earlier (and not set to NULL, as is the case here), and gets free'd again.

Lesson of the day: valgrind is always (or at least almost always) right.  The connection, disconnection, and double-free warnings were red herrings.

The real bug is that vnc_refresh_server_surface assumes that the display width is a multiple of 16.  If it's not, then it accesses beyond the end of the row by a few bytes.  On all but the last row, this is mostly harmless (it can result in unnecessarily marking the end of the row dirty), but on the last row, it copies over heap metadata.

The offending resolution is 1400x1050.

Created attachment 411468 [details]
Hacky patch for testing

This patch sort of fixes the problem.

I say "sort of" because it's rather ugly, slows down something that's presumably a somewhat hot path, and leaves a black strip on the right side of the screen when the width isn't a multiple of 16.  But that black line was already there.

There's also some debugging code in the patch.

I've emailed qemu-devel, but I don't think it's made it through moderation yet.

Upstream bug:

https://bugs.launchpad.net/qemu/+bug/575887

This bug may be exploitable by a guest that can turn a 15-byte heap overrun into code execution.  Presumably the guest has enough control over the 15 bytes past the end of its framebuffer to control what gets written.

This message is a reminder that Fedora 13 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 13.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '13'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 13's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 13 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Fedora 13 changed to end-of-life (EOL) status on 2011-06-25. Fedora 13 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.