search

GoSecure / pyrdp

RDP monster-in-the-middle (mitm) and library for Python with the ability to watch connections live or after the fact
https://www.gosecure.net/blog/2020/10/20/announcing-pyrdp-1/
GNU General Public License v3.0
1.55k stars 249 forks source link

cacheGlyph Segmentation fault #378

Closed lls115 closed 1 year ago

lls115 commented 2 years ago 
class GlyphEntry:
    """Glyph cache entry."""

    def __init__(self, glyph: Glyph):
        """Construct a cache entry from a glyph."""

        # Glyph origin.
        self.x = glyph.x
        self.y = glyph.y
        self.w = glyph.w
        self.h = glyph.h
        print("=======================================")
        print(QSize(self.w, self.h), glyph.data, QImage.Format_Mono)
        self.bitmap = QBitmap.fromData(QSize(self.w, self.h), glyph.data, QImage.Format_Mono)
EBUG:pyrdp.player.gdi.draw:<CreateOffscreenBitmap 72x313 Id=0 Del=0>
DEBUG:pyrdp.player.gdi.draw:<SwitchSurface Id=0>
DEBUG:pyrdp.player.gdi.draw:<CreateOffscreenBitmap 1920x36 Id=0 Del=0>
DEBUG:pyrdp.player.gdi.draw:<SwitchSurface Id=0>
DEBUG:pyrdp.player.gdi.draw:<SwitchSurface Id=65535>
DEBUG:pyrdp.player.gdi.draw:<pyrdp.parser.rdp.orders.secondary.CacheGlyph object at 0x7fff8e84f828>
=======================================
PySide2.QtCore.QSize(6, 8) b'\xfc\xfc\xfcxxxxx' PySide2.QtGui.QImage.Format.Format_Mono

**Program received signal SIGSEGV, Segmentation fault.
0x00007fff9f8bd458 in makeBitmap(QImage&&, QFlags<Qt::ImageConversionFlag>) [clone .constprop.3] () from** /usr/local/lib64/python3.6/site-packages/PySide2/Qt/lib/libQt5Gui.so.5
(gdb) bt
#0  0x00007fff9f8bd458 in makeBitmap(QImage&&, QFlags<Qt::ImageConversionFlag>) [clone .constprop.3] () from /usr/local/lib64/python3.6/site-packages/PySide2/Qt/lib/libQt5Gui.so.5
#1  0x00007fff9f8bd56b in QBitmap::fromImage(QImage&&, QFlags<Qt::ImageConversionFlag>) () from /usr/local/lib64/python3.6/site-packages/PySide2/Qt/lib/libQt5Gui.so.5
#2  0x00007fff9f8bd811 in QBitmap::fromData(QSize const&, unsigned char const*, QImage::Format) () from /usr/local/lib64/python3.6/site-packages/PySide2/Qt/lib/libQt5Gui.so.5
#3  0x00007fff9dfe5da5 in Sbk_QBitmapFunc_fromData () from /usr/local/lib64/python3.6/site-packages/PySide2/QtGui.abi3.so
#4  0x00007ffff79997e7 in _PyCFunction_FastCallDict () from /lib64/libpython3.6m.so.1.0
#5  0x00007ffff7a0514f in call_function () from /lib64/libpython3.6m.so.1.0
#6  0x00007ffff79f9a17 in _PyEval_EvalFrameDefault () from /lib64/libpython3.6m.so.1.0
#7  0x00007ffff7a0626a in _PyFunction_FastCallDict () from /lib64/libpython3.6m.so.1.0
#8  0x00007ffff795bd9e in _PyObject_FastCallDict () from /lib64/libpython3.6m.so.1.0
#9  0x00007ffff795beb1 in _PyObject_Call_Prepend () from /lib64/libpython3.6m.so.1.0
#10 0x00007ffff795bb23 in PyObject_Call () from /lib64/libpython3.6m.so.1.0
#11 0x00007ffff79aec75 in slot_tp_init () from /lib64/libpython3.6m.so.1.0
#12 0x00007ffff79ab632 in type_call () from /lib64/libpython3.6m.so.1.0
#13 0x00007ffff795bd20 in _PyObject_FastCallDict () from /lib64/libpython3.6m.so.1.0
#14 0x00007ffff7a052fc in call_function () from /lib64/libpython3.6m.so.1.0
#15 0x00007ffff79f9a17 in _PyEval_EvalFrameDefault () from /lib64/libpython3.6m.so.1.0
#16 0x00007ffff7a04f3a in fast_function () from /lib64/libpython3.6m.so.1.0
#17 0x00007ffff7a05273 in call_function () from /lib64/libpython3.6m.so.1.0
#18 0x00007ffff79f9a17 in _PyEval_EvalFrameDefault () from /lib64/libpython3.6m.so.1.0
#19 0x00007ffff7a04f3a in fast_function () from /lib64/libpython3.6m.so.1.0
#20 0x00007ffff7a05273 in call_function () from /lib64/libpython3.6m.so.1.0
#21 0x00007ffff79f9a17 in _PyEval_EvalFrameDefault () from /lib64/libpython3.6m.so.1.0
#22 0x00007ffff7a04f3a in fast_function () from /lib64/libpython3.6m.so.1.0
#23 0x00007ffff7a05273 in call_function () from /lib64/libpython3.6m.so.1.0
#24 0x00007ffff79f9a17 in _PyEval_EvalFrameDefault () from /lib64/libpython3.6m.so.1.0
#25 0x00007ffff7a04f3a in fast_function () from /lib64/libpython3.6m.so.1.0
#26 0x00007ffff7a05273 in call_function () from /lib64/libpython3.6m.so.1.0
#27 0x00007ffff79f9a17 in _PyEval_EvalFrameDefault () from /lib64/libpython3.6m.so.1.0
#28 0x00007ffff7a04f3a in fast_function () from /lib64/libpython3.6m.so.1.0
#29 0x00007ffff7a05273 in call_function () from /lib64/libpython3.6m.so.1.0
#30 0x00007ffff79f9a17 in _PyEval_EvalFrameDefault () from /lib64/libpython3.6m.so.1.0
#31 0x00007ffff7a04f3a in fast_function () from /lib64/libpython3.6m.so.1.0
#32 0x00007ffff7a05273 in call_function () from /lib64/libpython3.6m.so.1.0
#33 0x00007ffff79f9a17 in _PyEval_EvalFrameDefault () from /lib64/libpython3.6m.so.1.0
#34 0x00007ffff7a04f3a in fast_function () from /lib64/libpython3.6m.so.1.0
#35 0x00007ffff7a05273 in call_function () from /lib64/libpython3.6m.so.1.0
#36 0x00007ffff79f9a17 in _PyEval_EvalFrameDefault () from /lib64/libpython3.6m.so.1.0
#37 0x00007ffff7a04f3a in fast_function () from /lib64/libpython3.6m.so.1.0
#38 0x00007ffff7a05273 in call_function () from /lib64/libpython3.6m.so.1.0
#39 0x00007ffff79f9a17 in _PyEval_EvalFrameDefault () from /lib64/libpython3.6m.so.1.0
#40 0x00007ffff7a044f9 in _PyEval_EvalCodeWithName () from /lib64/libpython3.6m.so.1.0
#41 0x00007ffff7a04fea in fast_function () from /lib64/libpython3.6m.so.1.0
#42 0x00007ffff7a05273 in call_function () from /lib64/libpython3.6m.so.1.0
#43 0x00007ffff79f9a17 in _PyEval_EvalFrameDefault () from /lib64/libpython3.6m.so.1.0
#44 0x00007ffff7a04f3a in fast_function () from /lib64/libpython3.6m.so.1.0
#45 0x00007ffff7a05273 in call_function () from /lib64/libpython3.6m.so.1.0
#46 0x00007ffff79f9a17 in _PyEval_EvalFrameDefault () from /lib64/libpython3.6m.so.1.0
#47 0x00007ffff7a055ed in PyEval_EvalCodeEx () from /lib64/libpython3.6m.so.1.0
#48 0x00007ffff7a0610b in PyEval_EvalCode () from /lib64/libpython3.6m.so.1.0
#49 0x00007ffff7a8e53e in run_mod () from /lib64/libpython3.6m.so.1.0
#50 0x00007ffff793ab0d in PyRun_FileExFlags () from /lib64/libpython3.6m.so.1.0
#51 0x00007ffff793aedf in PyRun_SimpleFileExFlags () from /lib64/libpython3.6m.so.1.0
#52 0x00007ffff7a94a32 in Py_Main () from /lib64/libpython3.6m.so.1.0
#53 0x0000000000400ab9 in main ()
(gdb)
obilodeau commented 2 years ago

Thanks for your report.

The segfault appears to be in QT. That said maybe we are passing bad stuff to it.

Need more information:

lls115 commented 2 years ago 
i = QImage(glyph.data, self.w, self.h, QImage.Format_Mono)
self.bitmap = QPixmap.fromImageInPlace(i)
#self.bitmap = QBitmap.fromData(QSize(self.w, self.h), glyph.data, QImage.Format_Mono)

With the above code ,get an error "QPixmap: Must construct a QGuiApplication before a QPixmap"

so add "app = QApplication(sys.argv)" in main(), The problem is resolved. also with

#i = QImage(glyph.data, self.w, self.h, QImage.Format_Mono)
#self.bitmap = QPixmap.fromImageInPlace(i)
self.bitmap = QBitmap.fromData(QSize(self.w, self.h), glyph.data, QImage.Format_Mono)
securityRoad commented 2 years ago 
i = QImage(glyph.data, self.w, self.h, QImage.Format_Mono)
self.bitmap = QPixmap.fromImageInPlace(i)
#self.bitmap = QBitmap.fromData(QSize(self.w, self.h), glyph.data, QImage.Format_Mono)

With the above code ,get an error "QPixmap: Must construct a QGuiApplication before a QPixmap"

so add "app = QApplication(sys.argv)" in main(), The problem is resolved. also with

#i = QImage(glyph.data, self.w, self.h, QImage.Format_Mono)
#self.bitmap = QPixmap.fromImageInPlace(i)
self.bitmap = QBitmap.fromData(QSize(self.w, self.h), glyph.data, QImage.Format_Mono)

Thank you

obilodeau commented 2 years ago

I investigated this a little bit more today and I'm not willing to blindly integrate the suggested fix without context.

Thanks

obilodeau commented 1 year ago

I think I can finally reproduce this bug here with the replay file provided in #428

obilodeau commented 1 year ago

Likely fixed with #429. Please re-open if its not the case.