Wireshark-bugs: [Wireshark-bugs] [Bug 11774] New: Crash in Manage Interfaces -> Pipes

Date: Wed, 25 Nov 2015 14:13:56 +0000
Bug ID 11774
Summary Crash in Manage Interfaces -> Pipes
Product Wireshark
Version 2.0.0
Hardware All
OS All
Status UNCONFIRMED
Severity Major
Priority Low
Component Qt UI
Assignee [email protected]
Reporter [email protected]
CC [email protected]

Build Information:
Wireshark 2.1.0 (v2.1.0rc0-749-g12b2e3d from master)

Copyright 1998-2015 Gerald Combs <[email protected]> and contributors.
License GPLv2+: GNU GPL version 2 or later
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with Qt 5.5.1, with libpcap, with POSIX capabilities (Linux),
with libnl 3, with libz 1.2.8, with GLib 2.46.2, without SMI, without c-ares,
without ADNS, with Lua 5.2, with GnuTLS 3.4.6, with Gcrypt 1.6.4, with MIT
Kerberos, with GeoIP, with QtMultimedia, without AirPcap.

Running on Linux 4.3.0-1-ARCH, with locale C, with libpcap version 1.7.4, with
libz 1.2.8, with GnuTLS 3.4.6, with Gcrypt 1.6.4.
Intel(R) Core(TM) i5 CPU       M 560  @ 2.67GHz (with SSE4.2)

Built using clang 4.2.1 Compatible Clang 3.7.0 (tags/RELEASE_370/final).
--
(originally reported by a IRC user in #wireshark at Freenode who provided a gdb
backtrace and the reproduction steps)

Steps to reproduce:
 1. Open Capture -> Options
 2. Open Manage Interfaces, tab Pipes.
 3. Click the plus button (add pipe)
 4. Click the minus button (remove pipe).
 5. Crash.

The crash occurs because ManageInterfacesDialog::on_delPipe_clicked destructs a
QTreeWidgetItem which had an open editor. When this item is destructed, a
destroyed signal is raised which triggers stopEditor. However, this item was
being destructed and is no longer valid.

Also currently this sequence of events can happen when you keep pressing Add:
createEditor() - sets path_item = X
createEditor() - sets path_item = Y
stopEditor() - uses Y
stopEditor() - uses Y (again!)

The PathChooserDelegate is buggy, it should should be decomposed from
ManageInterfaceDialog and use signals instead to avoid this dependency. See
https://doc.qt.io/qt-4.8/qt-itemviews-stardelegate-example.html for a better
implementation

==5030==ERROR: AddressSanitizer: heap-use-after-free on address 0x60600132b720
at pc 0x561914b46daf bp 0x7ffc6933a370 sp 0x7ffc6933a368
READ of size 8 at 0x60600132b720 thread T0
    #0 0x561914b46dae in PathChooserDelegate::stopEditor()
ui/qt/manage_interfaces_dialog.cpp:841:5
    #1 0x5619151fa984 in PathChooserDelegate::qt_static_metacall(QObject*,
QMetaObject::Call, int, void**)
/tmp/wsbuild/ui/qt/moc_manage_interfaces_dialog.cpp:73:17
    #2 0x7f2f8f424129 in QMetaObject::activate(QObject*, int, int, void**)
(/usr/lib/libQt5Core.so.5+0x2cb129)
    #3 0x7f2f8f4249ce in QObject::destroyed(QObject*)
(/usr/lib/libQt5Core.so.5+0x2cb9ce)
    #4 0x7f2f9016a71c in QWidget::~QWidget()
(/usr/lib/libQt5Widgets.so.5+0x1ba71c)
    #5 0x7f2f9027b938 in QLineEdit::~QLineEdit()
(/usr/lib/libQt5Widgets.so.5+0x2cb938)
    #6 0x7f2f8f42265a in QObjectPrivate::deleteChildren()
(/usr/lib/libQt5Core.so.5+0x2c965a)
    #7 0x7f2f9016a76f in QWidget::~QWidget()
(/usr/lib/libQt5Widgets.so.5+0x1ba76f)
    #8 0x7f2f9016a948 in QWidget::~QWidget()
(/usr/lib/libQt5Widgets.so.5+0x1ba948)


You are receiving this mail because:
  • You are watching all bug changes.