search

hmatuschek / qdmr

A GUI application for configuring and programming cheap DMR radios under Linux and MacOS X.
https://dm3mat.darc.de/qdmr/
GNU General Public License v3.0
216 stars 45 forks source link

Crash when reading or writing config from/to Anytone D878UV2 #244

Closed toco closed 2 years ago

toco commented 2 years ago

With qdmr built from a82b6a2 I'm hitting a 100% reproducible crash when trying to read from or write to an Anytone D878UV2.

Excerpt from crash log:

[…]

Crashed Thread:        10  D878UV2

Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
Exception Codes:       KERN_INVALID_ADDRESS at 0x0000000000000000
Exception Codes:       0x0000000000000001, 0x0000000000000000
Exception Note:        EXC_CORPSE_NOTIFY

Termination Reason:    Namespace SIGNAL, Code 11 Segmentation fault: 11
Terminating Process:   exc handler [88265]

VM Region Info: 0 is not in any region.  Bytes before following region: 4304089088
      REGION TYPE                    START - END         [ VSIZE] PRT/MAX SHRMOD  REGION DETAIL
      UNUSED SPACE AT START
--->  
      __TEXT                      1008b3000-10099b000    [  928K] r-x/r-x SM=COW  ...ts/MacOS/qdmr

[…]

Thread 12 Crashed:: D878UV2
0   libdmrconf.0.10.3.dylib                0x10d75b59c D878UVCodeplug::setBitmaps(Config*) + 50
1   libdmrconf.0.10.3.dylib                0x10d74096a AnytoneRadio::upload() + 614
2   libdmrconf.0.10.3.dylib                0x10d73ffce AnytoneRadio::run() + 278
3   QtCore                                 0x11037dbba 0x11035c000 + 138170
4   libsystem_pthread.dylib             0x7ff8051554e1 _pthread_start + 125
5   libsystem_pthread.dylib             0x7ff805150f6b thread_start + 15

Full log: qdmr-2022-08-29-111929.ips.txt

toco commented 2 years ago

Running it in a debugger shows that data(ADDR_ROAMING_CHANNEL_BITMAP); in line 2475 returns a nullptr which is then dereferenced without checking in line 2487.

https://github.com/hmatuschek/qdmr/blob/a82b6a21dd4f3e9fd6d31ccfd18781a239e61a9a/lib/d878uv_codeplug.cc#L2473-L2482

hmatuschek commented 2 years ago

Can reproduce it. I should not call virtual methods from constructors. In fact, the problem is in https://github.com/hmatuschek/qdmr/blob/a82b6a21dd4f3e9fd6d31ccfd18781a239e61a9a/lib/d868uv_codeplug.cc#L476

This calls only the D868UVCodeplug::clear() and not the overloaded D878UVCodeplug::clear() which allocates the roaming channel bitmap. Consequently, it gets a nullptr.

hmatuschek commented 2 years ago

Can you build it from the master branch? It should be fixed now. I've tested it with a D878UV and it appears to work now.

toco commented 2 years ago

Yes, I built from sources at c024348 and reading the codeplug from the radio works.

toco commented 2 years ago

Writing fails with a verification error that can't be skipped with "Ignore verification warnings", see https://github.com/hmatuschek/qdmr/issues/245.