Univention Bugzilla – Bug 43051
italc 3.0 segfault in screenshot()
Last modified: 2016-12-12 13:10:14 CET
The segfault occurs during creation of a screenshot of a teachers computer.
Created attachment 8242 [details] patch
#0 qRed (rgb=<error reading variable: Cannot access memory at address 0x9785000>) at ../../../../include/QtGui/../../src/gui/painting/qrgb.h:58 #1 write_jpeg_image (image=..., device=0x7f1029d3ba6c, sourceQuality=-1) at ../../../gui/image/qjpeghandler.cpp:660 #2 0x00007f1086207472 in QImageWriter::write (this=0x7f1029cf6880, image=...) at image/qimagewriter.cpp:606
Created attachment 8254 [details] Reproducer I have a reproducible way to trigger this segfault: * Change the screen resolution of a client during the "watch"-mode. I extracted a single script to trigger the segfault. See attachment. The cause is in lib/src/ItalcVncConnection.cpp: The method ItalcVncConnection::hookNewClient(rfbClient *cl) does basically this: ItalcVncConnection * t = (ItalcVncConnection *) rfbClientGetClientData(cl, 0); if (t->m_frameBuffer) delete [] t->m_frameBuffer; t->m_frameBuffer = new uint8_t[size]; cl->frameBuffer = t->m_frameBuffer; memset(cl->frameBuffer, '\0', size); → So cl->frameBuffer gets replaces with a new buffer, the old buffer gets deleted. We are using the image() method (which returns this->m_image) to receive an QImage "img". Then we are calling img->save(path, "JPG") and the segfault occurs. The ItalcVncConnection::hookUpdateFB(rfbClient *cl) it the one who sets this->m_image to QImage img(cl->frameBuffer, cl->width, cl->height, QImage::Format_RGB32). So cl->frameBuffer which gets deleted later in a concurrent thread is given to the QImage. My proposed solution is to copy the image when setting it. I am currently unsure about the memory handling of C++/QT so I asked Tobias via mail about my patch: diff --git a/lib/src/ItalcVncConnection.cpp b/lib/src/ItalcVncConnection.cpp index 4fd55be..05749c6 100644 --- a/lib/src/ItalcVncConnection.cpp +++ b/lib/src/ItalcVncConnection.cpp @@ -449,7 +449,7 @@ void ItalcVncConnection::setImage( const QImage & img ) { » m_imgLock.lockForWrite(); » const QSize oldSize = m_image.size(); -» m_image = img; +» m_image = img.copy(img.rect()); » m_imgLock.unlock(); » if( img.size() != oldSize )
ucs-school-umc-computerroom.yaml: r74780 | YAML Bug #43044 Bug #43051 italc.yaml: r74780 | YAML Bug #43044 Bug #43051 italc (2:2.0.25-15): r74990 | Bug #43051: fix segfaults during screenshot creation r74988 | Bug #43051: fix segfaults during screenshot creation r74767 | Bug #43051: revert patch r74762 | Bug #43044 / Bug #43051: fix segfaults ucs-school-umc-computerroom (8.0.13-1): r74778 | Bug #43051: enhance screenshot creation ucs-school-italc.yaml: r74780 | YAML Bug #43044 Bug #43051
New upstream commit: https://github.com/iTALC/italc/commit/039386fec2c6cf990ef17ab1a7ecc84bf05f3eea
(In reply to Florian Best from comment #7) > New upstream commit: > https://github.com/iTALC/italc/commit/ > 039386fec2c6cf990ef17ab1a7ecc84bf05f3eea This commit is only compatible with QT 5. Nevertheless all my pull requests are now accepted and we are again at the HEAD of the italc-2 branch for the backend italc master process. italc (2:2.0.25-16): r75004 | Bug #43051: fix segfaults during screenshot creation
OK: problem was reproducible OK: code change OK: functional check (problem is solved) OK: packages built (ucs-school-umc-computerroom, italc, python-italc) OK: advisories (applied small changes)
Addition: No memory leak was observed with the "Reproducer" script. No increase in memory usage when requesting large amounts of screenshots or when frequently changing screen resolution. The process size remained constant.
UCS@school 4.1 R2 v9 has been released. http://docs.software-univention.de/changelog-ucsschool-4.1R2v9-de.html