search

hmatuschek / qdmr

A GUI application for configuring and programming cheap DMR radios under Linux and MacOS X.
https://dm3mat.darc.de/qdmr/
GNU General Public License v3.0
223 stars 46 forks source link

qdmr on RPi4 crashes when writing Anytone AT 878-UV codeplug #228

Closed Ignisleo closed 2 years ago

Ignisleo commented 2 years ago

When trying to write a codeplug to the radio, the application crashes. The radio shows "PC READ" and is stuck there, and the debug log is as follows:

Debug in application.cc@812: Set icon theme to 'light'.
Info in repeaterbookcompleter.cc@302: Cannot open repeater cache '/home/pi/.local/share/DM3MAT/qdmr/repeaterbook.cache.json'.
Debug in userdatabase.cc@124: Loaded user database with 218951 entries from /home/pi/.local/share/DM3MAT/qdmr/user.json.
Debug in talkgroupdatabase.cc@140: Loaded talk group database with 1622 entries from /home/pi/.local/share/DM3MAT/qdmr/talkgroups.json.
Debug in application.cc@103: Last known position: 
Debug in application.cc@155: Create main window using icon theme 'light'.
Debug in application.cc@313: Load codeplug from '/home/pi/amateurfunk/dmr/20220513_dl1ovs.yaml'.
Debug in config.cc@349: Using format version 0.10.2.
Debug in config.cc@398: Set default radio ID to 'DL1OVS'.
Debug in application.cc@412: Last device is invalid, search for new one.
Debug in usbserial.cc@162: Search for serial port with matching VID:PID 28e9:18a.
Debug in usbserial.cc@169: Found ttyACM0 (USB 28e9:18a).
Debug in usbserial.cc@162: Search for serial port with matching VID:PID 1fc9:94.
Debug in hid_libusb.cc@128: Search for HID interfaces matching VID:PID 15a2:73.
Debug in dfu_libusb.cc@156: Search for DFU devices matching VID:PID 483:df11.
Debug in usbdevice.cc@247: Check if serial port ttyACM0 still exisist and has VID:PID 28e9:18a.
Debug in radio.cc@55: Try to detect radio at Serial interface 'ttyACM0'.
Debug in usbserial.cc@90: Try to open Serial interface 'ttyACM0'.
Debug in usbserial.cc@124: Openend serial port ttyACM0 with 115200baud.
Debug in anytone_interface.cc@306: Anytone: In program-mode now.
Debug in anytone_interface.cc@335: Found radio 'D878UV', version 'V100'.
Debug in d878uv_codeplug.cc@2487: Allocate roaming zone at 1043000
malloc(): corrupted top size
Abgebrochen

A previous read operation worked, though, the crash happens when trying to write.

Regards, Oliver

hmatuschek commented 2 years ago

Thanks for the report, for now I cannot reproduce it here. It appears to be an issue with the encoding of the codeplug. Could you check if the command line tool also crashes? It uses the same library. Simply call from a command line

dmrconf encode --radio=d878uv 20220513_dl1ovs.yaml 20220513_dl1ovs_d878uv.dfu

The DFU file then contains the binary encoded codeplug for the D878UV. If it crashes too, could you send me the yaml file?

Ignisleo commented 2 years ago

Tried the dmrconf as suggested, and it crashes as well, error message: malloc(): invalid size (unsorted).

File is attached, had to zip it, because GitHub didn't upload yaml. 20220513_dl1ovs.zip

The file was created by reading the radio. Tried adding the Anruf 2m channel to the BRO-CELzone using qdmr, but didn't save the modification yet, so the file still is the version I got by reading the radio.

Ignisleo commented 2 years ago

Small update: Started looking at the yaml file and tried playing around with it. Found an apparently corrupted entry (line 249). Deleting the line and the entry after that breaks several internal links inside the yaml, but the errors are more parsing errors by now, and not the malloc error anymore:

ERROR in configobject.cc@662: 14788:15: Cannot link reference to 'cont235', element not defined.
ERROR in configobject.cc@1221: 14784:4: Cannot link list.
ERROR in encodecodeplug.cc@73: Cannot parse YAML codeplug 'debug_dl1ovs.yaml':
In configobject.cc:1221: 14784:4: Cannot link list.
 In configobject.cc:662: 14788:15: Cannot link reference to 'cont235', element not defined.

So I count that as progress, somehow. Will try further and keep you informed.

Edit: Tried to declutter the codeplug, and now it works with dmrconf. Deleted lots of zones, the roaming entries, the GPS/APRS entries and the DTMF contacts, which looked suspicious, somehow. Haven't tried programming the radio yet, but the command line tool worked debug_dl1ovs.yaml.zip .

asheplyakov commented 2 years ago

Platform: Raspberry Pi 4, 4GB, Raspberry Pi OS Bullseye (current)

Is this aarch64 (64-bit) or armv7 (32-bit) one?

Ignisleo commented 2 years ago

Still the armv7 (32-bit). Haven't made the switch to the aarch64 version yet, as it still appears in some kind of beta stage.

Ignisleo commented 2 years ago

It works! Yay! Problem was a faulty yaml file. In the original version there were some issues that apparently threw qdmr off track. Especially some zones with both the B channel list and the A channel list empty. Plus some contacts that looked quite suspicious (read: garbled, somehow) in the yaml file. But now it works like a charm. Have included the codeplug I successfully programmed on my radio (zipped as usual due to the import filter of GitHub). Thanks all! 20220522_DL1OVS_neu.zip

asheplyakov commented 2 years ago

I've got the following crash with the initial version of yaml file on x86_64:

$ dmrconf encode --radio=d878uv 20220513_dl1ovs.yaml 20220513_dl1ovs_d878uv.dfu
free(): invalid next size (fast)
Aborted (core dumped)
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:49
#1  0x00007ffff7190538 in __GI_abort () at abort.c:79
#2  0x00007ffff71e8ee7 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff72f9395 "%s\n") at ../sysdeps/posix/libc_fatal.c:155
#3  0x00007ffff71f09bc in malloc_printerr (str=str@entry=0x7ffff72fb7f8 "free(): invalid next size (fast)") at malloc.c:5389
#4  0x00007ffff71f1e04 in _int_free (av=0x7ffff732ba00 <main_arena>, p=0x555556a0ee60, have_lock=0) at malloc.c:4281
#5  0x00007ffff7e24f6b in QTypedArrayData<char>::deallocate (data=<optimized out>) at /usr/include/qt5/QtCore/qarraydata.h:236
#6  QByteArray::~QByteArray (this=0x5555565a0ac0, __in_chrg=<optimized out>) at /usr/include/qt5/QtCore/qbytearray.h:495
#7  QByteArray::~QByteArray (this=0x5555565a0ac0, __in_chrg=<optimized out>) at /usr/include/qt5/QtCore/qbytearray.h:495
#8  DFUFile::Element::~Element (this=0x5555565a0ab8, __in_chrg=<optimized out>) at /usr/src/debug/qdmr-0.10.2.2/lib/dfufile.hh:78
#9  QVector<DFUFile::Element>::destruct (to=0x5555565a0c38, from=0x5555565a0ab8, this=<optimized out>) at /usr/include/qt5/QtCore/qvector.h:366
#10 QVector<DFUFile::Element>::freeData (this=0x5555565ce740, x=0x555556599120) at /usr/include/qt5/QtCore/qvector.h:578
#11 QVector<DFUFile::Element>::~QVector (this=0x5555565ce740, __in_chrg=<optimized out>) at /usr/include/qt5/QtCore/qvector.h:73
#12 QVector<DFUFile::Element>::~QVector (this=0x5555565ce740, __in_chrg=<optimized out>) at /usr/include/qt5/QtCore/qvector.h:73
#13 DFUFile::Image::~Image (this=0x5555565ce728, __in_chrg=<optimized out>) at /usr/src/debug/qdmr-0.10.2.2/lib/dfufile.cc:452
#14 0x00007ffff7e70dcc in QVector<DFUFile::Image>::destruct (to=0x5555565ce760, from=0x5555565ce760, this=<optimized out>) at /usr/include/qt5/QtCore/qvector.h:366
#15 QVector<DFUFile::Image>::freeData (this=0x7fffffffe130, x=0x5555565ce710) at /usr/include/qt5/QtCore/qvector.h:578
#16 QVector<DFUFile::Image>::~QVector (this=0x7fffffffe130, __in_chrg=<optimized out>) at /usr/include/qt5/QtCore/qvector.h:73
#17 QVector<DFUFile::Image>::~QVector (this=0x7fffffffe130, __in_chrg=<optimized out>) at /usr/include/qt5/QtCore/qvector.h:73
#18 DFUFile::~DFUFile (this=0x7fffffffe120, __in_chrg=<optimized out>) at /usr/src/debug/qdmr-0.10.2.2/lib/dfufile.hh:72
#19 Codeplug::~Codeplug (this=0x7fffffffe120, __in_chrg=<optimized out>) at /usr/src/debug/qdmr-0.10.2.2/lib/codeplug.cc:629
#20 0x00005555555676bd in D868UVCodeplug::~D868UVCodeplug (this=0x7fffffffe120, __in_chrg=<optimized out>) at /usr/src/debug/qdmr-0.10.2.2/lib/d868uv_codeplug.hh:189
#21 D878UVCodeplug::~D878UVCodeplug (this=0x7fffffffe120, __in_chrg=<optimized out>) at /usr/src/debug/qdmr-0.10.2.2/lib/d878uv_codeplug.hh:228
#22 D578UVCodeplug::~D578UVCodeplug (this=0x7fffffffe120, __in_chrg=<optimized out>) at /usr/src/debug/qdmr-0.10.2.2/lib/d578uv_codeplug.hh:191
#23 encodeCodeplug (parser=..., app=...) at /usr/src/debug/qdmr-0.10.2.2/cli/encodecodeplug.cc:171
#24 0x00005555555613d7 in main (argc=<optimized out>, argv=0x7fffffffe2e0) at /usr/src/debug/qdmr-0.10.2.2/cli/main.cc:174
Ignisleo commented 2 years ago

Hm. Would be interesting which line of the codeplug caused it to fail. Have a couple of DTMF contacts that look strange, somehow, in 20220513_dl1ovs.yaml line 233 ff.:

  - dtmf: {id: cont208, name: DB0FS-R, ring: false, number: ""}
  - dtmf: {id: cont209, name: "\x01", ring: false, number: ""}
  - dtmf: {id: cont210, name: Pegasus Projekt, ring: false, number: ""}
  - dtmf: {id: cont211, name: "\x01", ring: false, number: 7112800000000006506567617375732050726#6A656B7400000000004D000000010000003000000031000000100000005746400000}
  - dtmf: {id: cont212, name: DD3XK, ring: false, number: ""}
  - dtmf: {id: cont213, name: "\x01", ring: false, number: ""}
  - dtmf: {id: cont214, name: DL5HAW, ring: false, number: ""}
  - dtmf: {id: cont215, name: "\x01", ring: false, number: ""}
  - dtmf: {id: cont216, name: DB0WTV-R Wilhh, ring: false, number: 2757030000000006444230584A2D5220537461646500000020006000000000064442305754562D522057696C686800000000}
  - dtmf: {id: cont217, name: "\x01", ring: false, number: 20006000000000064442305754562D522057696C68680000000000004D00000001000000300000003100000010000000900542000000}
  - dtmf: {id: cont218, name: DB0HHH-R, ring: false, number: ""}
  - dtmf: {id: cont219, name: "\x01", ring: false, number: ""}
  - dtmf: {id: cont220, name: DB0BHV-R Brmhv, ring: false, number: ""}
  - dtmf: {id: cont221, name: "\x01", ring: false, number: 95708500000000064442304248562D522042726D68760000000000004D000000010000003000000031000000100000001838900000000}
  - dtmf: {id: cont222, name: DB0HEL-R Helgol, ring: false, number: ""}
  - dtmf: {id: cont223, name: "\x01", ring: false, number: 870062000000000644423048454C2D522048656C676#6C00000000004D00000001000000300000003100000010000000354399000000}
  - dtmf: {id: cont224, name: World Conf, ring: false, number: ""}
  - dtmf: {id: cont225, name: "\x01", ring: false, number: ""}
  - dtmf: {id: cont226, name: DB0CUX-R Cuxh, ring: false, number: 99990000000000044563686#6C696*6B205465737400000070480000000000044442304355582D522043757868000000000000004D000000010}
  - dtmf: {id: cont227, name: "\x01", ring: false, number: 70480000000000044442304355582D522043757868000000000000004D00000001000000300000003100000010000000476660000000000544423045}
  - dtmf: {id: cont228, name: DB0HFT-R Brm, ring: false, number: 47666000000000054442304542572D522042726D7600000052827600000000064442304846542D522042726D00000000000000004D000}
  - dtmf: {id: cont229, name: "\x01", ring: false, number: 52827600000000064442304846542D522042726D00000000000000004D000000010000003000000031000000100000005390550000000}
  - dtmf: {id: cont230, name: DB0OL-R Oldenb, ring: false, number: 5390550000000006444230485A4C2D52205261747A65620088067500000000064442304#4C2D52204#6C64656*620000000000004D0000000100}
  - dtmf: {id: cont231, name: "\x01", ring: false, number: 88067500000000064442304#4C2D52204#6C64656*620000000000004D0000000100000030000000310000001000000043464}
  - dtmf: {id: cont232, name: DB0XN-R Bredstd, ring: false, number: 43464200000000064442305444522D52204D5650000000007079080000000006444230584*2D5220}
  - dtmf: {id: cont233, name: "\x01", ring: false, number: 7079080000000006444230584*2D52204272656473746400000000004D000000010000003000000031000000100000004561}
  - dtmf: {id: cont234, name: ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ, ring: false, number: 456150000000000553656C2D5275662034353631350000000}

The names with the \x01 look weird, as does the last name. The codeplug was created by reading the radio.

Will step by step try modifying the codeplung until it eventually works like the last one, maybe there is a clue in there.

asheplyakov commented 2 years ago

valgrind is somewhat unhappy about dmrconf:

==1947531== ERROR SUMMARY: 1213 errors from 6 contexts (suppressed: 0 from 0)
==1947531== 
==1947531== 26 errors in context 1 of 6:
==1947531== Invalid write of size 1
==1947531==    at 0x4A92F54: Codeplug::Element::writeASCII(unsigned int, QString const&, unsigned int, unsigned char) (codeplug.cc:514)
==1947531==    by 0x4B0C751: AnytoneCodeplug::DTMFContactElement::setName(QString const&) (anytone_codeplug.cc:1002)
==1947531==    by 0x4B0C8B8: AnytoneCodeplug::DTMFContactElement::fromContact(DTMFContact const*) (anytone_codeplug.cc:1013)
==1947531==    by 0x4B1B9F8: D868UVCodeplug::encodeAnalogContacts(Codeplug::Flags const&, Codeplug::Context&, ErrorStack const&) (d868uv_codeplug.cc:908)
==1947531==    by 0x4B1A6A6: D868UVCodeplug::encodeElements(Codeplug::Flags const&, Codeplug::Context&, ErrorStack const&) (d868uv_codeplug.cc:661)
==1947531==    by 0x4B2D6DD: D878UVCodeplug::encodeElements(Codeplug::Flags const&, Codeplug::Context&, ErrorStack const&) (d878uv_codeplug.cc:2194)
==1947531==    by 0x4B1A491: D868UVCodeplug::encode(Config*, Codeplug::Flags const&, ErrorStack const&) (d868uv_codeplug.cc:634)
==1947531==    by 0x127D49: encodeCodeplug(QCommandLineParser&, QCoreApplication&) (encodecodeplug.cc:147)
==1947531==    by 0x11E214: main (main.cc:174)
==1947531==  Address 0xb8561e0 is 7 bytes after a block of size 73 alloc'd
==1947531==    at 0x4843839: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==1947531==    by 0x4EF7290: QArrayData::allocate(unsigned long, unsigned long, unsigned long, QFlags<QArrayData::AllocationOption>) (in /usr/lib/x86_64-linux-gnu/libQt5Core.so.5.15.2)
==1947531==    by 0x4F42CD8: QByteArray::QByteArray(int, char) (in /usr/lib/x86_64-linux-gnu/libQt5Core.so.5.15.2)
==1947531==    by 0x4A47B18: DFUFile::Element::Element(unsigned int, unsigned int) (dfufile.cc:282)
==1947531==    by 0x4A4921A: DFUFile::Image::addElement(unsigned int, unsigned int, int) (dfufile.cc:524)
==1947531==    by 0x4B1B8B1: D868UVCodeplug::allocateAnalogContacts() (d868uv_codeplug.cc:892)
==1947531==    by 0x4B19C69: D868UVCodeplug::allocateForEncoding() (d868uv_codeplug.cc:547)
==1947531==    by 0x4B2D467: D878UVCodeplug::allocateForEncoding() (d878uv_codeplug.cc:2155)
==1947531==    by 0x127D25: encodeCodeplug(QCommandLineParser&, QCoreApplication&) (encodecodeplug.cc:146)
==1947531==    by 0x11E214: main (main.cc:174)
==1947531== 
==1947531== 
==1947531== 169 errors in context 2 of 6:
==1947531== Invalid write of size 1
==1947531==    at 0x4A92F66: Codeplug::Element::writeASCII(unsigned int, QString const&, unsigned int, unsigned char) (codeplug.cc:516)
==1947531==    by 0x4B0C751: AnytoneCodeplug::DTMFContactElement::setName(QString const&) (anytone_codeplug.cc:1002)
==1947531==    by 0x4B0C8B8: AnytoneCodeplug::DTMFContactElement::fromContact(DTMFContact const*) (anytone_codeplug.cc:1013)
==1947531==    by 0x4B1B9F8: D868UVCodeplug::encodeAnalogContacts(Codeplug::Flags const&, Codeplug::Context&, ErrorStack const&) (d868uv_codeplug.cc:908)
==1947531==    by 0x4B1A6A6: D868UVCodeplug::encodeElements(Codeplug::Flags const&, Codeplug::Context&, ErrorStack const&) (d868uv_codeplug.cc:661)
==1947531==    by 0x4B2D6DD: D878UVCodeplug::encodeElements(Codeplug::Flags const&, Codeplug::Context&, ErrorStack const&) (d878uv_codeplug.cc:2194)
==1947531==    by 0x4B1A491: D868UVCodeplug::encode(Config*, Codeplug::Flags const&, ErrorStack const&) (d868uv_codeplug.cc:634)
==1947531==    by 0x127D49: encodeCodeplug(QCommandLineParser&, QCoreApplication&) (encodecodeplug.cc:147)
==1947531==    by 0x11E214: main (main.cc:174)
==1947531==  Address 0xb8561e2 is 9 bytes after a block of size 73 alloc'd
==1947531==    at 0x4843839: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==1947531==    by 0x4EF7290: QArrayData::allocate(unsigned long, unsigned long, unsigned long, QFlags<QArrayData::AllocationOption>) (in /usr/lib/x86_64-linux-gnu/libQt5Core.so.5.15.2)
==1947531==    by 0x4F42CD8: QByteArray::QByteArray(int, char) (in /usr/lib/x86_64-linux-gnu/libQt5Core.so.5.15.2)
==1947531==    by 0x4A47B18: DFUFile::Element::Element(unsigned int, unsigned int) (dfufile.cc:282)
==1947531==    by 0x4A4921A: DFUFile::Image::addElement(unsigned int, unsigned int, int) (dfufile.cc:524)
==1947531==    by 0x4B1B8B1: D868UVCodeplug::allocateAnalogContacts() (d868uv_codeplug.cc:892)
==1947531==    by 0x4B19C69: D868UVCodeplug::allocateForEncoding() (d868uv_codeplug.cc:547)
==1947531==    by 0x4B2D467: D878UVCodeplug::allocateForEncoding() (d878uv_codeplug.cc:2155)
==1947531==    by 0x127D25: encodeCodeplug(QCommandLineParser&, QCoreApplication&) (encodecodeplug.cc:146)
==1947531==    by 0x11E214: main (main.cc:174)
==1947531== 
==1947531== 
==1947531== 252 errors in context 3 of 6:
==1947531== Invalid write of size 1
==1947531==    at 0x4B0C6BB: AnytoneCodeplug::DTMFContactElement::setNumber(QString const&) (anytone_codeplug.cc:992)
==1947531==    by 0x4B0C881: AnytoneCodeplug::DTMFContactElement::fromContact(DTMFContact const*) (anytone_codeplug.cc:1012)
==1947531==    by 0x4B1B9F8: D868UVCodeplug::encodeAnalogContacts(Codeplug::Flags const&, Codeplug::Context&, ErrorStack const&) (d868uv_codeplug.cc:908)
==1947531==    by 0x4B1A6A6: D868UVCodeplug::encodeElements(Codeplug::Flags const&, Codeplug::Context&, ErrorStack const&) (d868uv_codeplug.cc:661)
==1947531==    by 0x4B2D6DD: D878UVCodeplug::encodeElements(Codeplug::Flags const&, Codeplug::Context&, ErrorStack const&) (d878uv_codeplug.cc:2194)
==1947531==    by 0x4B1A491: D868UVCodeplug::encode(Config*, Codeplug::Flags const&, ErrorStack const&) (d868uv_codeplug.cc:634)
==1947531==    by 0x127D49: encodeCodeplug(QCommandLineParser&, QCoreApplication&) (encodecodeplug.cc:147)
==1947531==    by 0x11E214: main (main.cc:174)
==1947531==  Address 0xb856489 is 0 bytes after a block of size 73 alloc'd
==1947531==    at 0x4843839: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==1947531==    by 0x4EF7290: QArrayData::allocate(unsigned long, unsigned long, unsigned long, QFlags<QArrayData::AllocationOption>) (in /usr/lib/x86_64-linux-gnu/libQt5Core.so.5.15.2)
==1947531==    by 0x4F42CD8: QByteArray::QByteArray(int, char) (in /usr/lib/x86_64-linux-gnu/libQt5Core.so.5.15.2)
==1947531==    by 0x4A47B18: DFUFile::Element::Element(unsigned int, unsigned int) (dfufile.cc:282)
==1947531==    by 0x4A4921A: DFUFile::Image::addElement(unsigned int, unsigned int, int) (dfufile.cc:524)
==1947531==    by 0x4B1B8B1: D868UVCodeplug::allocateAnalogContacts() (d868uv_codeplug.cc:892)
==1947531==    by 0x4B19C69: D868UVCodeplug::allocateForEncoding() (d868uv_codeplug.cc:547)
==1947531==    by 0x4B2D467: D878UVCodeplug::allocateForEncoding() (d878uv_codeplug.cc:2155)
==1947531==    by 0x127D25: encodeCodeplug(QCommandLineParser&, QCoreApplication&) (encodecodeplug.cc:146)
==1947531==    by 0x11E214: main (main.cc:174)
==1947531== 
==1947531== 
==1947531== 252 errors in context 4 of 6:
==1947531== Invalid read of size 1
==1947531==    at 0x4B0C6A2: AnytoneCodeplug::DTMFContactElement::setNumber(QString const&) (anytone_codeplug.cc:992)
==1947531==    by 0x4B0C881: AnytoneCodeplug::DTMFContactElement::fromContact(DTMFContact const*) (anytone_codeplug.cc:1012)
==1947531==    by 0x4B1B9F8: D868UVCodeplug::encodeAnalogContacts(Codeplug::Flags const&, Codeplug::Context&, ErrorStack const&) (d868uv_codeplug.cc:908)
==1947531==    by 0x4B1A6A6: D868UVCodeplug::encodeElements(Codeplug::Flags const&, Codeplug::Context&, ErrorStack const&) (d868uv_codeplug.cc:661)
==1947531==    by 0x4B2D6DD: D878UVCodeplug::encodeElements(Codeplug::Flags const&, Codeplug::Context&, ErrorStack const&) (d878uv_codeplug.cc:2194)
==1947531==    by 0x4B1A491: D868UVCodeplug::encode(Config*, Codeplug::Flags const&, ErrorStack const&) (d868uv_codeplug.cc:634)
==1947531==    by 0x127D49: encodeCodeplug(QCommandLineParser&, QCoreApplication&) (encodecodeplug.cc:147)
==1947531==    by 0x11E214: main (main.cc:174)
==1947531==  Address 0xb856489 is 0 bytes after a block of size 73 alloc'd
==1947531==    at 0x4843839: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==1947531==    by 0x4EF7290: QArrayData::allocate(unsigned long, unsigned long, unsigned long, QFlags<QArrayData::AllocationOption>) (in /usr/lib/x86_64-linux-gnu/libQt5Core.so.5.15.2)
==1947531==    by 0x4F42CD8: QByteArray::QByteArray(int, char) (in /usr/lib/x86_64-linux-gnu/libQt5Core.so.5.15.2)
==1947531==    by 0x4A47B18: DFUFile::Element::Element(unsigned int, unsigned int) (dfufile.cc:282)
==1947531==    by 0x4A4921A: DFUFile::Image::addElement(unsigned int, unsigned int, int) (dfufile.cc:524)
==1947531==    by 0x4B1B8B1: D868UVCodeplug::allocateAnalogContacts() (d868uv_codeplug.cc:892)
==1947531==    by 0x4B19C69: D868UVCodeplug::allocateForEncoding() (d868uv_codeplug.cc:547)
==1947531==    by 0x4B2D467: D878UVCodeplug::allocateForEncoding() (d878uv_codeplug.cc:2155)
==1947531==    by 0x127D25: encodeCodeplug(QCommandLineParser&, QCoreApplication&) (encodecodeplug.cc:146)
==1947531==    by 0x11E214: main (main.cc:174)
==1947531== 
==1947531== 
==1947531== 257 errors in context 5 of 6:
==1947531== Invalid write of size 1
==1947531==    at 0x4B0C641: AnytoneCodeplug::DTMFContactElement::setNumber(QString const&) (anytone_codeplug.cc:990)
==1947531==    by 0x4B0C881: AnytoneCodeplug::DTMFContactElement::fromContact(DTMFContact const*) (anytone_codeplug.cc:1012)
==1947531==    by 0x4B1B9F8: D868UVCodeplug::encodeAnalogContacts(Codeplug::Flags const&, Codeplug::Context&, ErrorStack const&) (d868uv_codeplug.cc:908)
==1947531==    by 0x4B1A6A6: D868UVCodeplug::encodeElements(Codeplug::Flags const&, Codeplug::Context&, ErrorStack const&) (d868uv_codeplug.cc:661)
==1947531==    by 0x4B2D6DD: D878UVCodeplug::encodeElements(Codeplug::Flags const&, Codeplug::Context&, ErrorStack const&) (d878uv_codeplug.cc:2194)
==1947531==    by 0x4B1A491: D868UVCodeplug::encode(Config*, Codeplug::Flags const&, ErrorStack const&) (d868uv_codeplug.cc:634)
==1947531==    by 0x127D49: encodeCodeplug(QCommandLineParser&, QCoreApplication&) (encodecodeplug.cc:147)
==1947531==    by 0x11E214: main (main.cc:174)
==1947531==  Address 0xb856489 is 0 bytes after a block of size 73 alloc'd
==1947531==    at 0x4843839: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==1947531==    by 0x4EF7290: QArrayData::allocate(unsigned long, unsigned long, unsigned long, QFlags<QArrayData::AllocationOption>) (in /usr/lib/x86_64-linux-gnu/libQt5Core.so.5.15.2)
==1947531==    by 0x4F42CD8: QByteArray::QByteArray(int, char) (in /usr/lib/x86_64-linux-gnu/libQt5Core.so.5.15.2)
==1947531==    by 0x4A47B18: DFUFile::Element::Element(unsigned int, unsigned int) (dfufile.cc:282)
==1947531==    by 0x4A4921A: DFUFile::Image::addElement(unsigned int, unsigned int, int) (dfufile.cc:524)
==1947531==    by 0x4B1B8B1: D868UVCodeplug::allocateAnalogContacts() (d868uv_codeplug.cc:892)
==1947531==    by 0x4B19C69: D868UVCodeplug::allocateForEncoding() (d868uv_codeplug.cc:547)
==1947531==    by 0x4B2D467: D878UVCodeplug::allocateForEncoding() (d878uv_codeplug.cc:2155)
==1947531==    by 0x127D25: encodeCodeplug(QCommandLineParser&, QCoreApplication&) (encodecodeplug.cc:146)
==1947531==    by 0x11E214: main (main.cc:174)
==1947531== 
==1947531== 
==1947531== 257 errors in context 6 of 6:
==1947531== Invalid read of size 1
==1947531==    at 0x4B0C626: AnytoneCodeplug::DTMFContactElement::setNumber(QString const&) (anytone_codeplug.cc:990)
==1947531==    by 0x4B0C881: AnytoneCodeplug::DTMFContactElement::fromContact(DTMFContact const*) (anytone_codeplug.cc:1012)
==1947531==    by 0x4B1B9F8: D868UVCodeplug::encodeAnalogContacts(Codeplug::Flags const&, Codeplug::Context&, ErrorStack const&) (d868uv_codeplug.cc:908)
==1947531==    by 0x4B1A6A6: D868UVCodeplug::encodeElements(Codeplug::Flags const&, Codeplug::Context&, ErrorStack const&) (d868uv_codeplug.cc:661)
==1947531==    by 0x4B2D6DD: D878UVCodeplug::encodeElements(Codeplug::Flags const&, Codeplug::Context&, ErrorStack const&) (d878uv_codeplug.cc:2194)
==1947531==    by 0x4B1A491: D868UVCodeplug::encode(Config*, Codeplug::Flags const&, ErrorStack const&) (d868uv_codeplug.cc:634)
==1947531==    by 0x127D49: encodeCodeplug(QCommandLineParser&, QCoreApplication&) (encodecodeplug.cc:147)
==1947531==    by 0x11E214: main (main.cc:174)
==1947531==  Address 0xb856489 is 0 bytes after a block of size 73 alloc'd
==1947531==    at 0x4843839: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==1947531==    by 0x4EF7290: QArrayData::allocate(unsigned long, unsigned long, unsigned long, QFlags<QArrayData::AllocationOption>) (in /usr/lib/x86_64-linux-gnu/libQt5Core.so.5.15.2)
==1947531==    by 0x4F42CD8: QByteArray::QByteArray(int, char) (in /usr/lib/x86_64-linux-gnu/libQt5Core.so.5.15.2)
==1947531==    by 0x4A47B18: DFUFile::Element::Element(unsigned int, unsigned int) (dfufile.cc:282)
==1947531==    by 0x4A4921A: DFUFile::Image::addElement(unsigned int, unsigned int, int) (dfufile.cc:524)
==1947531==    by 0x4B1B8B1: D868UVCodeplug::allocateAnalogContacts() (d868uv_codeplug.cc:892)
==1947531==    by 0x4B19C69: D868UVCodeplug::allocateForEncoding() (d868uv_codeplug.cc:547)
==1947531==    by 0x4B2D467: D878UVCodeplug::allocateForEncoding() (d878uv_codeplug.cc:2155)
==1947531==    by 0x127D25: encodeCodeplug(QCommandLineParser&, QCoreApplication&) (encodecodeplug.cc:146)
==1947531==    by 0x11E214: main (main.cc:174)
==1947531== 
==1947531== ERROR SUMMARY: 1213 errors from 6 contexts (suppressed: 0 from 0)

Those writes beyond the allocated memory could corrupt the heap (which is why the program could crash when releasing the memory)

asheplyakov commented 2 years ago

AnytoneCodeplug::DTMFContactElement encoding methods (setNumber, setName) look fishy. As far as I understand the element consists of a number and a name. 1) 14 BCD digits (zero padded, 4 bits per a digit), 7 bytes 2) the number of digits, 1 byte 3) up to 15 ASCII characters (zero padded) 4) trailing zero byte

(the encoded element size is 24 bytes, so 2 records fit in an analog contact bank)

memset(data, 0, 7) at line 986 is pretty clear. However the next line

setUInt8(0x0013, number.length());

looks wrong. That offset should have been 8 (also the code should have validated the length of the number). setName() writes (up to) 15 bytes at offset 0x20. Which is double strange for 1) this is beyond the allocated memory (that's why valgrind complains), 2) there's a 13-byte gap between the number (or rather number of digits in the number) and the name.

hmatuschek commented 2 years ago

Thank you all for identifying and fixing the issue.