Skip to content

Crash/Use after free in footprint editor preferences panel

Description

When closing the footprint editor after opening the preferences dialog, there is a crash due to a use after free error;

=================================================================
==1551047==ERROR: AddressSanitizer: heap-use-after-free on address 0x607000bef430 at pc 0x7fe323ce1e8a bp 0x7ffd8e016990 sp 0x7ffd8e016988
READ of size 8 at 0x607000bef430 thread T0
    #0 0x7fe323ce1e89 in JSON_SETTINGS::~JSON_SETTINGS() master/build/debug/../../common/settings/json_settings.cpp:63:9
    #1 0x7fe323d2f9c1 in NESTED_SETTINGS::~NESTED_SETTINGS() master/build/debug/../../common/settings/nested_settings.cpp:41:1
    #2 0x7fe32301d0ab in BOARD_DESIGN_SETTINGS::~BOARD_DESIGN_SETTINGS() master/build/debug/../../pcbnew/board_design_settings.cpp:569:1
    #3 0x7fe32301d0eb in BOARD_DESIGN_SETTINGS::~BOARD_DESIGN_SETTINGS() master/build/debug/../../pcbnew/board_design_settings.cpp:563:1
    #4 0x7fe323071f3f in std::default_delete<BOARD_DESIGN_SETTINGS>::operator()(BOARD_DESIGN_SETTINGS*) const /usr/bin/../lib/gcc/x86_64-redhat-linux/10/../../../../include/c++/10/bits/unique_ptr.h:84:2
    #5 0x7fe32306af36 in std::unique_ptr<BOARD_DESIGN_SETTINGS, std::default_delete<BOARD_DESIGN_SETTINGS> >::~unique_ptr() /usr/bin/../lib/gcc/x86_64-redhat-linux/10/../../../../include/c++/10/bits/unique_ptr.h:360:4
    #6 0x7fe32304b8cd in BOARD::~BOARD() master/build/debug/../../pcbnew/class_board.cpp:175:1
    #7 0x7fe32304c24b in BOARD::~BOARD() master/build/debug/../../pcbnew/class_board.cpp:144:1
    #8 0x7fe322fecdb7 in PCB_BASE_FRAME::SetBoard(BOARD*) master/build/debug/../../pcbnew/pcb_base_frame.cpp:137:9
    #9 0x7fe321fdf893 in PCB_BASE_EDIT_FRAME::SetBoard(BOARD*) master/build/debug/../../pcbnew/pcb_base_edit_frame.cpp:98:21
    #10 0x7fe321f91874 in FOOTPRINT_EDIT_FRAME::Clear_Pcb(bool) master/build/debug/../../pcbnew/initpcb.cpp:118:5
    #11 0x7fe321f3e3fb in FOOTPRINT_EDIT_FRAME::OnCloseWindow(wxCloseEvent&) master/build/debug/../../pcbnew/footprint_edit_frame.cpp:538:5
    #12 0x7fe3408ec4cd in wxEvtHandler::ProcessEventIfMatchesId(wxEventTableEntryBase const&, wxEvtHandler*, wxEvent&) (/lib64/libwx_baseu-3.0.so.0+0x1f24cd)
    #13 0x7fe3408ec5ca in wxEventHashTable::HandleEvent(wxEvent&, wxEvtHandler*) (/lib64/libwx_baseu-3.0.so.0+0x1f25ca)
    #14 0x7fe3408ec91f in wxEvtHandler::TryHereOnly(wxEvent&) (/lib64/libwx_baseu-3.0.so.0+0x1f291f)
    #15 0x7fe323947deb in EDA_BASE_FRAME::ProcessEvent(wxEvent&) master/build/debug/../../common/eda_base_frame.cpp:218:19
    #16 0x7fe3408ec782 in wxEvtHandler::DoTryChain(wxEvent&) (/lib64/libwx_baseu-3.0.so.0+0x1f2782)
    #17 0x7fe3408eca80 in wxEvtHandler::ProcessEvent(wxEvent&) (/lib64/libwx_baseu-3.0.so.0+0x1f2a80)
    #18 0x7fe3408ec7da in wxEvtHandler::SafelyProcessEvent(wxEvent&) (/lib64/libwx_baseu-3.0.so.0+0x1f27da)
    #19 0x7fe340e77eb9 in wxWindowBase::Close(bool) (/lib64/libwx_gtk3u_core-3.0.so.0+0x486eb9)
    #20 0x7fe340ca85e2  (/lib64/libwx_gtk3u_core-3.0.so.0+0x2b75e2)
    #21 0x7fe33f321eab in _gtk_marshal_BOOLEAN__BOXEDv /usr/src/debug/gtk3-3.24.20-1.fc32.x86_64/gtk/gtkmarshalers.c:129:14
    #22 0x7fe33edd1ae5  (/lib64/libgobject-2.0.so.0+0x13ae5)
    #23 0x7fe33ede9e4a in g_signal_emit_valist (/lib64/libgobject-2.0.so.0+0x2be4a)
    #24 0x7fe33edeac62 in g_signal_emit (/lib64/libgobject-2.0.so.0+0x2cc62)
    #25 0x7fe33f2cafe3 in gtk_widget_event_internal /usr/src/debug/gtk3-3.24.20-1.fc32.x86_64/gtk/gtkwidget.c:7808:4
    #26 0x7fe33f17b90e in gtk_main_do_event /usr/src/debug/gtk3-3.24.20-1.fc32.x86_64/gtk/gtkmain.c:1822:12
    #27 0x7fe33f17b90e in gtk_main_do_event /usr/src/debug/gtk3-3.24.20-1.fc32.x86_64/gtk/gtkmain.c:1690:1
    #28 0x7fe33ee54028 in _gdk_event_emit gdkevents.c:73:6
    #29 0x7fe33ee888e5 in gdk_event_source_dispatch gdkeventsource.c:367:7
    #30 0x7fe33eb227ae in g_main_context_dispatch (/lib64/libglib-2.0.so.0+0x527ae)
    #31 0x7fe33eb22b37  (/lib64/libglib-2.0.so.0+0x52b37)
    #32 0x7fe33eb22e52 in g_main_loop_run (/lib64/libglib-2.0.so.0+0x52e52)
    #33 0x7fe33f17a91c in gtk_main /usr/src/debug/gtk3-3.24.20-1.fc32.x86_64/gtk/gtkmain.c:1328:7
    #34 0x7fe340c94da4 in wxGUIEventLoop::DoRun() (/lib64/libwx_gtk3u_core-3.0.so.0+0x2a3da4)
    #35 0x7fe3407c4630 in wxEventLoopBase::Run() (/lib64/libwx_baseu-3.0.so.0+0xca630)
    #36 0x7fe340784428 in wxAppConsoleBase::MainLoop() (/lib64/libwx_baseu-3.0.so.0+0x8a428)
    #37 0x5ee0ff in APP_KICAD::OnRun() master/build/debug/../../kicad/kicad.cpp:279:27
    #38 0x7fe34080abcb in wxEntry(int&, wchar_t**) (/lib64/libwx_baseu-3.0.so.0+0x110bcb)
    #39 0x5eba03 in main master/build/debug/../../kicad/kicad.cpp:312:1
    #40 0x7fe33f713041 in __libc_start_main /usr/src/debug/glibc-2.31-17-gab029a2801/csu/../csu/libc-start.c:308:16
    #41 0x4e0a3d in _start (master/build/debug/kicad/kicad+0x4e0a3d)

0x607000bef430 is located 0 bytes inside of 72-byte region [0x607000bef430,0x607000bef478)
freed by thread T0 here:
    #0 0x5b84c7 in operator delete(void*) (master/build/debug/kicad/kicad+0x5b84c7)
    #1 0x7fe321f03757 in PARAM<int>::~PARAM() master/build/debug/../../include/settings/parameters.h:88:7
    #2 0x7fe323ce1ebf in JSON_SETTINGS::~JSON_SETTINGS() master/build/debug/../../common/settings/json_settings.cpp:63:9
    #3 0x7fe323d2f9c1 in NESTED_SETTINGS::~NESTED_SETTINGS() master/build/debug/../../common/settings/nested_settings.cpp:41:1
    #4 0x7fe32301d0ab in BOARD_DESIGN_SETTINGS::~BOARD_DESIGN_SETTINGS() master/build/debug/../../pcbnew/board_design_settings.cpp:569:1
    #5 0x7fe321a1688e in PANEL_MODEDIT_DEFAULTS::~PANEL_MODEDIT_DEFAULTS() master/build/debug/../../pcbnew/dialogs/panel_modedit_defaults.cpp:209:1
    #6 0x7fe321a168fb in PANEL_MODEDIT_DEFAULTS::~PANEL_MODEDIT_DEFAULTS() master/build/debug/../../pcbnew/dialogs/panel_modedit_defaults.cpp:206:1
    #7 0x7fe340e76b1b in wxWindowBase::Destroy() (/lib64/libwx_gtk3u_core-3.0.so.0+0x485b1b)

previously allocated by thread T0 here:
    #0 0x5b7ac7 in operator new(unsigned long) (master/build/debug/kicad/kicad+0x5b7ac7)

SUMMARY: AddressSanitizer: heap-use-after-free master/build/debug/../../common/settings/json_settings.cpp:63:9 in JSON_SETTINGS::~JSON_SETTINGS()
Shadow bytes around the buggy address:
  0x0c0e80175e30: fa fa 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
  0x0c0e80175e40: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa 00 00
  0x0c0e80175e50: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
  0x0c0e80175e60: 00 00 00 00 00 00 fa fa fa fa 00 00 00 00 00 00
  0x0c0e80175e70: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 00
=>0x0c0e80175e80: 00 00 fa fa fa fa[fd]fd fd fd fd fd fd fd fd fa
  0x0c0e80175e90: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fa fa
  0x0c0e80175ea0: fa fa fd fd fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c0e80175eb0: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fd fd
  0x0c0e80175ec0: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
  0x0c0e80175ed0: fd fd fd fd fd fd fa fa fa fa fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1551047==ERROR: AddressSanitizer: SEGV on unknown address 0x7fe37680020d (pc 0x7fe323ce1ebe bp 0x7ffd8e016a70 sp 0x7ffd8e0169a0 T0)
==1551047==The signal is caused by a READ memory access.
    #0 0x7fe323ce1ebe in JSON_SETTINGS::~JSON_SETTINGS() master/build/debug/../../common/settings/json_settings.cpp:63:9
    #1 0x7fe323d2f9c1 in NESTED_SETTINGS::~NESTED_SETTINGS() master/build/debug/../../common/settings/nested_settings.cpp:41:1
    #2 0x7fe32301d0ab in BOARD_DESIGN_SETTINGS::~BOARD_DESIGN_SETTINGS() master/build/debug/../../pcbnew/board_design_settings.cpp:569:1
    #3 0x7fe32301d0eb in BOARD_DESIGN_SETTINGS::~BOARD_DESIGN_SETTINGS() master/build/debug/../../pcbnew/board_design_settings.cpp:563:1
    #4 0x7fe323071f3f in std::default_delete<BOARD_DESIGN_SETTINGS>::operator()(BOARD_DESIGN_SETTINGS*) const /usr/bin/../lib/gcc/x86_64-redhat-linux/10/../../../../include/c++/10/bits/unique_ptr.h:84:2
    #5 0x7fe32306af36 in std::unique_ptr<BOARD_DESIGN_SETTINGS, std::default_delete<BOARD_DESIGN_SETTINGS> >::~unique_ptr() /usr/bin/../lib/gcc/x86_64-redhat-linux/10/../../../../include/c++/10/bits/unique_ptr.h:360:4
    #6 0x7fe32304b8cd in BOARD::~BOARD() master/build/debug/../../pcbnew/class_board.cpp:175:1
    #7 0x7fe32304c24b in BOARD::~BOARD() master/build/debug/../../pcbnew/class_board.cpp:144:1
    #8 0x7fe322fecdb7 in PCB_BASE_FRAME::SetBoard(BOARD*) master/build/debug/../../pcbnew/pcb_base_frame.cpp:137:9
    #9 0x7fe321fdf893 in PCB_BASE_EDIT_FRAME::SetBoard(BOARD*) master/build/debug/../../pcbnew/pcb_base_edit_frame.cpp:98:21
    #10 0x7fe321f91874 in FOOTPRINT_EDIT_FRAME::Clear_Pcb(bool) master/build/debug/../../pcbnew/initpcb.cpp:118:5
    #11 0x7fe321f3e3fb in FOOTPRINT_EDIT_FRAME::OnCloseWindow(wxCloseEvent&) master/build/debug/../../pcbnew/footprint_edit_frame.cpp:538:5
    #12 0x7fe3408ec4cd in wxEvtHandler::ProcessEventIfMatchesId(wxEventTableEntryBase const&, wxEvtHandler*, wxEvent&) (/lib64/libwx_baseu-3.0.so.0+0x1f24cd)
    #13 0x7fe3408ec5ca in wxEventHashTable::HandleEvent(wxEvent&, wxEvtHandler*) (/lib64/libwx_baseu-3.0.so.0+0x1f25ca)
    #14 0x7fe3408ec91f in wxEvtHandler::TryHereOnly(wxEvent&) (/lib64/libwx_baseu-3.0.so.0+0x1f291f)
    #15 0x7fe323947deb in EDA_BASE_FRAME::ProcessEvent(wxEvent&) master/build/debug/../../common/eda_base_frame.cpp:218:19
    #16 0x7fe3408ec782 in wxEvtHandler::DoTryChain(wxEvent&) (/lib64/libwx_baseu-3.0.so.0+0x1f2782)
    #17 0x7fe3408eca80 in wxEvtHandler::ProcessEvent(wxEvent&) (/lib64/libwx_baseu-3.0.so.0+0x1f2a80)
    #18 0x7fe3408ec7da in wxEvtHandler::SafelyProcessEvent(wxEvent&) (/lib64/libwx_baseu-3.0.so.0+0x1f27da)
    #19 0x7fe340e77eb9 in wxWindowBase::Close(bool) (/lib64/libwx_gtk3u_core-3.0.so.0+0x486eb9)
    #20 0x7fe340ca85e2  (/lib64/libwx_gtk3u_core-3.0.so.0+0x2b75e2)
    #21 0x7fe33f321eab in _gtk_marshal_BOOLEAN__BOXEDv /usr/src/debug/gtk3-3.24.20-1.fc32.x86_64/gtk/gtkmarshalers.c:129:14
    #22 0x7fe33edd1ae5  (/lib64/libgobject-2.0.so.0+0x13ae5)
    #23 0x7fe33ede9e4a in g_signal_emit_valist (/lib64/libgobject-2.0.so.0+0x2be4a)
    #24 0x7fe33edeac62 in g_signal_emit (/lib64/libgobject-2.0.so.0+0x2cc62)
    #25 0x7fe33f2cafe3 in gtk_widget_event_internal /usr/src/debug/gtk3-3.24.20-1.fc32.x86_64/gtk/gtkwidget.c:7808:4
    #26 0x7fe33f17b90e in gtk_main_do_event /usr/src/debug/gtk3-3.24.20-1.fc32.x86_64/gtk/gtkmain.c:1822:12
    #27 0x7fe33f17b90e in gtk_main_do_event /usr/src/debug/gtk3-3.24.20-1.fc32.x86_64/gtk/gtkmain.c:1690:1
    #28 0x7fe33ee54028 in _gdk_event_emit gdkevents.c:73:6
    #29 0x7fe33ee888e5 in gdk_event_source_dispatch gdkeventsource.c:367:7
    #30 0x7fe33eb227ae in g_main_context_dispatch (/lib64/libglib-2.0.so.0+0x527ae)
    #31 0x7fe33eb22b37  (/lib64/libglib-2.0.so.0+0x52b37)
    #32 0x7fe33eb22e52 in g_main_loop_run (/lib64/libglib-2.0.so.0+0x52e52)
    #33 0x7fe33f17a91c in gtk_main /usr/src/debug/gtk3-3.24.20-1.fc32.x86_64/gtk/gtkmain.c:1328:7
    #34 0x7fe340c94da4 in wxGUIEventLoop::DoRun() (/lib64/libwx_gtk3u_core-3.0.so.0+0x2a3da4)
    #35 0x7fe3407c4630 in wxEventLoopBase::Run() (/lib64/libwx_baseu-3.0.so.0+0xca630)
    #36 0x7fe340784428 in wxAppConsoleBase::MainLoop() (/lib64/libwx_baseu-3.0.so.0+0x8a428)
    #37 0x5ee0ff in APP_KICAD::OnRun() master/build/debug/../../kicad/kicad.cpp:279:27
    #38 0x7fe34080abcb in wxEntry(int&, wchar_t**) (/lib64/libwx_baseu-3.0.so.0+0x110bcb)
    #39 0x5eba03 in main master/build/debug/../../kicad/kicad.cpp:312:1
    #40 0x7fe33f713041 in __libc_start_main /usr/src/debug/glibc-2.31-17-gab029a2801/csu/../csu/libc-start.c:308:16
    #41 0x4e0a3d in _start (master/build/debug/kicad/kicad+0x4e0a3d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV master/build/debug/../../common/settings/json_settings.cpp:63:9 in JSON_SETTINGS::~JSON_SETTINGS()
==1551047==ABORTING

Steps to reproduce

  1. Launch KiCad
  2. Open footprint editor
  3. Open the preferences dialog
  4. Close the preferences dialog (no need to modify anything)
  5. Close the footprint editor

KiCad Version

Application: KiCad
Version: (5.99.0-2194-g6672efdf2c-dirty), debug build
Libraries:
	wxWidgets 3.0.4
	libcurl/7.69.1 OpenSSL/1.1.1g-fips zlib/1.2.11 brotli/1.0.7 libidn2/2.3.0 libpsl/0.21.0 (+libidn2/2.3.0) libssh/0.9.4/openssl/zlib nghttp2/1.41.0
Platform: Linux 5.6.19-300.fc32.x86_64 x86_64, 64 bit, Little endian, wxGTK
Build Info:
	Build date: Jul  6 2020 01:46:43
	wxWidgets: 3.0.4 (wchar_t,wx containers,compatible with 2.8) GTK+ 3.24
	Boost: 1.69.0
	OCC: 7.4.0
	Curl: 7.69.1
	Compiler: Clang 10.0.0 with C++ ABI 1002

Build settings:
	KICAD_SCRIPTING=ON
	KICAD_SCRIPTING_MODULES=ON
	KICAD_SCRIPTING_PYTHON3=ON
	KICAD_SCRIPTING_WXPYTHON=ON
	KICAD_SCRIPTING_WXPYTHON_PHOENIX=ON
	KICAD_SCRIPTING_ACTION_MENU=ON
	BUILD_GITHUB_PLUGIN=ON
	KICAD_USE_OCC=ON
	KICAD_SPICE=ON
	KICAD_STDLIB_DEBUG=OFF
	KICAD_STDLIB_LIGHT_DEBUG=ON
	KICAD_SANITIZE=ON