Segfault when requesting an avatar

[mdosch]

/avatar open $contact made profanity segfault.

Expected Behavior

Download and open the avatar.

Current Behavior

Segfault

(gdb) bt full
#0  __strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:74
No locals.
#1  0x00007ffff73f4638 in __vfprintf_internal (s=s@entry=0x7fffffffc850, format=format@entry=0x555555605230 "Spawning '%s' failed with '%s'.", ap=ap@entry=0x7fffffffc9e8, mode_flags=mode_flags@entry=2) at vfprintf-internal.c:1647
        len = <optimized out>
        step0_jumps = {0, 1717, 1621, 3413, 3317, 3997, 2677, 2837, 3613, 1773, 4309, 4445, 3517, 4437, 4389, 2789, 4197, 3917, 3221, 2997, 1141, 1365, 1997, 1925, 1885, 733, 3709, 533, 533, 4101}
        space = <optimized out>
        is_short = <optimized out>
        use_outdigits = 0
        outc = <optimized out>
        step1_jumps = {0, 0, 0, 0, 0, 0, 0, 0, 0, 1773, 4309, 4445, 3517, 4437, 4389, 2789, 4197, 3917, 3221, 2997, 1141, 1365, 1997, 1925, 1885, 733, 3709, 533, 533, 0}
        group = 0
        prec = -1
        step2_jumps = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 4309, 4445, 3517, 4437, 4389, 2789, 4197, 3917, 3221, 2997, 1141, 1365, 1997, 1925, 1885, 733, 3709, 533, 533, 0}
        string = 0x841f0f2e66 <error: Cannot access memory at address 0x841f0f2e66>
        left = 0
        is_long_double = <optimized out>
        width = 0
        signed_number = <optimized out>
        step3a_jumps = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 4213, 0, 0, 0, 4389, 2789, 4197, 3917, 3221, 0, 0, 0, 0, 1925, 0, 0, 0, 0, 0, 0}
        alt = <optimized out>
        showsign = 0
        is_long = 0
        is_char = <optimized out>
        pad = <optimized out>
        step3b_jumps = {0 <repeats 11 times>, 3517, 0, 0, 4389, 2789, 4197, 3917, 3221, 2997, 1141, 1365, 1997, 1925, 1885, 733, 3709, 0, 0, 0}
        step4_jumps = {0 <repeats 14 times>, 4389, 2789, 4197, 3917, 3221, 2997, 1141, 1365, 1997, 1925, 1885, 733, 3709, 0, 0, 0}
        args_value = <optimized out>
        is_negative = <optimized out>
        number = <optimized out>
        base = <optimized out>
        the_arg = {pa_wchar = 0 L'\000', pa_int = 0, pa_long_int = 0, pa_long_long_int = 0, pa_u_int = 0, pa_u_long_int = 0, pa_u_long_long_int = 0, pa_double = 0, pa_long_double = 0, pa_float128 = 0, pa_string = 0x0, pa_wstring = 0x0, 
          pa_pointer = 0x0, pa_user = 0x0}
        spec = 115 's'
        _buffer = {__routine = 0x0, __arg = 0x3000000008, __canceltype = -1, __prev = 0x7fffffffc9d0}
        _avail = <optimized out>
        thousands_sep = 0x0
        grouping = 0xffffffffffffffff <error: Cannot access memory at address 0xffffffffffffffff>
        done = 106
        f = 0x55555560524c "s'."
        lead_str_end = 0x55555560523a "%s' failed with '%s'."
        end_of_spec = <optimized out>
        work_buffer = "\031\000\000\000\000\000\000\000\016\000\000\000\000\000\000\000\200\357\257ZUU\000\000\260\305\377\377\377\177\000\000 amUUU\000\000\000{\321Cn/Z\364 amUUU\000\000\220\000\000\000\000\000\000\000Ps\263]UU\000\000\200\253U\367\377\177\000\000\020\002\000\000\000\000\000\000\340s\263]UU\000\000\b\000\000\000\000\000\000\000\023\033A\367\377\177\000\000\000\000\000\000\000\000\000\000P\353\200]UU\000\000\360\305\377\377\377\177\000\000\345f\375\367\377\177\000\000\352C\273$\000\000\000\000\001\000\000\000\000\000\000\000ܞ\200\367\377\177\000\000x\240UUUU\000\000\001\000\000\000\000\000\000\000\264k\375\367\377\177\000\000\022\002\000\000\000\000\000\000\200"...
        workend = 0x7fffffffc808 ""
        ap_save = {{gp_offset = 8, fp_offset = 48, overflow_arg_area = 0x7fffffffcad0, reg_save_area = 0x7fffffffca00}}
        nspecs_done = 1
        save_errno = 25
        readonly_format = 0
        do_longlong_number = <optimized out>
        __result = <optimized out>
#2  0x00007ffff7404e01 in __vasprintf_internal (result_ptr=0x7fffffffc9b0, format=0x555555605230 "Spawning '%s' failed with '%s'.", args=0x7fffffffc9e8, mode_flags=2) at vasprintf.c:57
        init_string_size = 100
        string = 0x555559ac54c0 "E\306)\016PU"
        sf = {_sbf = {_f = {_flags = -72515584, _IO_read_ptr = 0x55555db39200 "Spawning 'xdg-open /home/martin/.local/share/profanity/avatars/REDACTED_at_mdosch.de.webp' failed with '", _IO_read_end = 0x55555db39265 "ith '", 
              _IO_read_base = 0x55555db39200 "Spawning 'xdg-open /home/martin/.local/share/profanity/avatars/REDACTED_at_mdosch.de.webp' failed with '", 
              _IO_write_base = 0x55555db39200 "Spawning 'xdg-open /home/martin/.local/share/profanity/avatars/REDACTED_at_mdosch.de.webp' failed with '", _IO_write_ptr = 0x55555db3926a "", _IO_write_end = 0x55555db3932c "", 
              _IO_buf_base = 0x55555db39200 "Spawning 'xdg-open /home/martin/.local/share/profanity/avatars/REDACTED_at_mdosch.de.webp' failed with '", _IO_buf_end = 0x55555db3932c "", _IO_save_base = 0x0, _IO_backup_base = 0x0, 
              _IO_save_end = 0x0, _markers = 0x0, _chain = 0x0, _fileno = 27208958, _flags2 = 0, _old_offset = 0, _cur_column = 0, _vtable_offset = 0 '\000', _shortbuf = "", _lock = 0x0, _offset = 140737488341408, 
              _codecvt = 0x5555576da670, _wide_data = 0xffffffffffffffff, _freeres_list = 0x0, _freeres_buf = 0x55555db3e610, __pad5 = 0, _mode = -1, _unused2 = "\377\177\000\000\000{\321Cn/Z\364\066\000\000\000\000\000\000"}, 
            vtable = 0x7ffff75575c0 <_IO_str_jumps>}, _s = {_allocate_buffer_unused = 0x7ffff7412310 <__GI___libc_malloc>, _free_buffer_unused = 0x7ffff7412970 <__GI___libc_free>}}
        ret = <optimized out>
        needed = <optimized out>
        allocated = <optimized out>
#3  0x00007ffff78aaa0f in g_vasprintf () from target:/lib/x86_64-linux-gnu/libglib-2.0.so.0
No symbol table info available.
#4  0x00007ffff7880151 in g_string_append_vprintf () from target:/lib/x86_64-linux-gnu/libglib-2.0.so.0
No symbol table info available.
#5  0x000055555558b5e2 in log_error (msg=msg@entry=0x555555605230 "Spawning '%s' failed with '%s'.") at src/log.c:168
        arg = {{gp_offset = 24, fp_offset = 48, overflow_arg_area = 0x7fffffffcad0, reg_save_area = 0x7fffffffca00}}
        fmt_msg = 0x555559e146e0
#6  0x000055555558c81b in call_external (argv=argv@entry=0x7fffffffcb10, std_out=std_out@entry=0x0, std_err=std_err@entry=0x0) at src/common.c:468
        cmd = 0x5555557c7560 "xdg-open /home/martin/.local/share/profanity/avatars/REDACTED_at_mdosch.de.webp"
        flags = (G_SPAWN_SEARCH_PATH | G_SPAWN_STDOUT_TO_DEV_NULL | G_SPAWN_STDERR_TO_DEV_NULL)
        exit_status = 1024
        spawn_result = 1
        spawn_error = 0x7ffff787c2ce <g_strdup+46>
#7  0x00005555555a8d8f in _avatar_request_item_result_handler (stanza=<optimized out>, userdata=0x55555db52fe0) at src/xmpp/avatar.c:343
        argv = {0x5555557c0f90 "xdg-open", 0x55555e4ecf50 "/home/martin/.local/share/profanity/avatars/REDACTED_at_mdosch.de.webp", 0x0}
        from_attr = 0x5555557b63c0 "REDACTED@mdosch.de"
        pubsub = <optimized out>
        items = <optimized out>
        item = <optimized out>
        st_data = <optimized out>
        buf = <optimized out>
        size = 6956
        de = 0x55555db4db50 "RIFF$\033"
        path = <optimized out>
        filename = 0x55555d18d4c0
        res = <optimized out>
        from = 0x5555576da670 "-"
        data = 0x55555db52fe0
        err = 0x0
#8  0x00005555555994ad in _iq_handler (conn=<optimized out>, userdata=<optimized out>, stanza=0x55555e50ad40) at src/xmpp/iq.c:231
        keep = <optimized out>
        handler = <optimized out>
        text = <optimized out>
        text_size = <optimized out>
        cont = <optimized out>
        type = <optimized out>
        discoinfo = <optimized out>
        discoitems = <optimized out>
        lastactivity = <optimized out>
        version = <optimized out>
        ping = <optimized out>
        roster = <optimized out>
        blocking = <optimized out>
        id = 0x55555ae3b1f0 "7PONGoMWFJdrGMB9548595765974f399c5966817cb7f182698c8962"
#9  _iq_handler (conn=<optimized out>, stanza=0x55555e50ad40, userdata=<optimized out>) at src/xmpp/iq.c:165
        text = 0x55555db570b0 "\260\263U\367\377\177"
        text_size = 9749
        cont = <optimized out>
        type = <optimized out>
        discoinfo = <optimized out>
        discoitems = <optimized out>
        lastactivity = <optimized out>
        version = <optimized out>
        ping = <optimized out>
        roster = <optimized out>
        blocking = <optimized out>
        id = <optimized out>
        handler = <optimized out>
        keep = <optimized out>
#10 0x00007ffff76be3c9 in ?? () from target:/lib/x86_64-linux-gnu/libstrophe.so.0
No symbol table info available.
#11 0x00007ffff76bbbcc in ?? () from target:/lib/x86_64-linux-gnu/libstrophe.so.0
No symbol table info available.
#12 0x00007ffff76c9d3f in ?? () from target:/lib/x86_64-linux-gnu/libstrophe.so.0
No symbol table info available.
#13 0x00007ffff6ba69e4 in doContent (parser=parser@entry=0x555555ad1f10, startTagLevel=startTagLevel@entry=0, enc=<optimized out>, s=<optimized out>, end=<optimized out>, nextPtr=0x555555ad1f40, haveMore=1 '\001', 
    account=XML_ACCOUNT_DIRECT) at ../../src/lib/xmlparse.c:3047
        localPart = <optimized out>
        prefix = <optimized out>
        uri = <optimized out>
        len = <optimized out>
        rawName = 0x555556398d03 "iq><a xmlns='urn:xmpp:sm:3' h='549'/><a xmlns='urn:xmpp:sm:3' h='550'/><r xmlns='urn:xmpp:sm:3'/><a xmlns='urn:xmpp:sm:3' h='551'/>K9umG7u4N9LaPA\nT7Z42FQ+Kse2UPxe/95Ca74wHIYylJBmmSEGeEsk7jVHocaXUsYFWz"...
        tag = 0x555556227740
        next = 0x555556398d06 "<a xmlns='urn:xmpp:sm:3' h='549'/><a xmlns='urn:xmpp:sm:3' h='550'/><r xmlns='urn:xmpp:sm:3'/><a xmlns='urn:xmpp:sm:3' h='551'/>K9umG7u4N9LaPA\nT7Z42FQ+Kse2UPxe/95Ca74wHIYylJBmmSEGeEsk7jVHocaXUsYFWzD/P"...
        tok = <optimized out>
        accountAfter = <optimized out>
        dtd = 0x555555ad29d0
        eventPP = <optimized out>
        eventEndPP = 0x555555ad2138
#14 0x00007ffff6ba77aa in contentProcessor (parser=0x555555ad1f10, start=<optimized out>, end=<optimized out>, endPtr=<optimized out>) at ../../src/lib/xmlparse.c:2612
        result = <optimized out>
#15 0x00007ffff6ba1cc1 in XML_ParseBuffer (parser=0x555555ad1f10, len=3046, isFinal=0) at ../../src/lib/xmlparse.c:2009
        start = <optimized out>
        result = XML_STATUS_OK
#16 0x00007ffff76bdd24 in xmpp_run_once () from target:/lib/x86_64-linux-gnu/libstrophe.so.0
No symbol table info available.
#17 0x000055555559519f in connection_check_events () at src/xmpp/connection.c:148
No locals.
#18 0x000055555558e6dc in prof_run (log_level=<optimized out>, account_name=<optimized out>, config_file=0x0, log_file=0x0, theme_name=<optimized out>) at src/profanity.c:132
        cont = 1
        line = 0x0
#19 0x000055555558a68d in main (argc=<optimized out>, argv=<optimized out>) at src/main.c:186
        entries = {{long_name = 0x555555605f39 "version", short_name = 118 'v', flags = 0, arg = G_OPTION_ARG_NONE, arg_data = 0x5555556ae328 <version>, description = 0x55555562fbc5 "Show version information", arg_description = 0x0}, {
            long_name = 0x5555556158eb "account", short_name = 97 'a', flags = 0, arg = G_OPTION_ARG_STRING, arg_data = 0x5555556ae310 <account_name>, description = 0x55555562fe48 "Auto connect to an account on startup", 
            arg_description = 0x0}, {long_name = 0x55555562e002 "log", short_name = 108 'l', flags = 0, arg = G_OPTION_ARG_STRING, arg_data = 0x5555556ae320 <log>, 
            description = 0x55555562fe70 "Set logging levels, DEBUG, INFO, WARN (default), ERROR", arg_description = 0x55555562fbde "LEVEL"}, {long_name = 0x555555628832 "config", short_name = 99 'c', flags = 0, 
            arg = G_OPTION_ARG_STRING, arg_data = 0x5555556ae308 <config_file>, description = 0x55555562fea8 "Use an alternative configuration file", arg_description = 0x0}, {long_name = 0x55555562fbe4 "logfile", short_name = 102 'f', 
            flags = 0, arg = G_OPTION_ARG_STRING, arg_data = 0x5555556ae318 <log_file>, description = 0x55555562fbec "Specify log file", arg_description = 0x0}, {long_name = 0x555555615c79 "theme", short_name = 116 't', flags = 0, 
            arg = G_OPTION_ARG_STRING, arg_data = 0x5555556ae300 <theme_name>, description = 0x55555562fbfd "Specify theme name", arg_description = 0x0}, {long_name = 0x0, short_name = 0 '\000', flags = 0, arg = G_OPTION_ARG_NONE, 
            arg_data = 0x0, description = 0x0, arg_description = 0x0}}
        error = 0x0
        context = 0x5555556d5f10

Program received signal SIGSEGV, Segmentation fault.
__strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:74
74	../sysdeps/x86_64/multiarch/strlen-avx2.S: Datei oder Verzeichnis nicht gefunden.
(gdb) bt 
#0  __strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:74
#1  0x00007ffff73f4638 in __vfprintf_internal (s=s@entry=0x7fffffffc850, format=format@entry=0x555555605230 "Spawning '%s' failed with '%s'.", ap=ap@entry=0x7fffffffc9e8, mode_flags=mode_flags@entry=2) at vfprintf-internal.c:1647
#2  0x00007ffff7404e01 in __vasprintf_internal (result_ptr=0x7fffffffc9b0, format=0x555555605230 "Spawning '%s' failed with '%s'.", args=0x7fffffffc9e8, mode_flags=2) at vasprintf.c:57
#3  0x00007ffff78aaa0f in g_vasprintf () from target:/lib/x86_64-linux-gnu/libglib-2.0.so.0
#4  0x00007ffff7880151 in g_string_append_vprintf () from target:/lib/x86_64-linux-gnu/libglib-2.0.so.0
#5  0x000055555558b5e2 in log_error (msg=msg@entry=0x555555605230 "Spawning '%s' failed with '%s'.") at src/log.c:168
#6  0x000055555558c81b in call_external (argv=argv@entry=0x7fffffffcb10, std_out=std_out@entry=0x0, std_err=std_err@entry=0x0) at src/common.c:468
#7  0x00005555555a8d8f in _avatar_request_item_result_handler (stanza=<optimized out>, userdata=0x55555db52fe0) at src/xmpp/avatar.c:343
#8  0x00005555555994ad in _iq_handler (conn=<optimized out>, userdata=<optimized out>, stanza=0x55555e50ad40) at src/xmpp/iq.c:231
#9  _iq_handler (conn=<optimized out>, stanza=0x55555e50ad40, userdata=<optimized out>) at src/xmpp/iq.c:165
#10 0x00007ffff76be3c9 in ?? () from target:/lib/x86_64-linux-gnu/libstrophe.so.0
#11 0x00007ffff76bbbcc in ?? () from target:/lib/x86_64-linux-gnu/libstrophe.so.0
#12 0x00007ffff76c9d3f in ?? () from target:/lib/x86_64-linux-gnu/libstrophe.so.0
#13 0x00007ffff6ba69e4 in doContent (parser=parser@entry=0x555555ad1f10, startTagLevel=startTagLevel@entry=0, enc=<optimized out>, s=<optimized out>, end=<optimized out>, nextPtr=0x555555ad1f40, haveMore=1 '\001', 
    account=XML_ACCOUNT_DIRECT) at ../../src/lib/xmlparse.c:3047
#14 0x00007ffff6ba77aa in contentProcessor (parser=0x555555ad1f10, start=<optimized out>, end=<optimized out>, endPtr=<optimized out>) at ../../src/lib/xmlparse.c:2612
#15 0x00007ffff6ba1cc1 in XML_ParseBuffer (parser=0x555555ad1f10, len=3046, isFinal=0) at ../../src/lib/xmlparse.c:2009
#16 0x00007ffff76bdd24 in xmpp_run_once () from target:/lib/x86_64-linux-gnu/libstrophe.so.0
#17 0x000055555559519f in connection_check_events () at src/xmpp/connection.c:148
#18 0x000055555558e6dc in prof_run (log_level=<optimized out>, account_name=<optimized out>, config_file=0x0, log_file=0x0, theme_name=<optimized out>) at src/profanity.c:132
#19 0x000055555558a68d in main (argc=<optimized out>, argv=<optimized out>) at src/main.c:186

Steps to Reproduce (for bugs)

1. Use /avatar open on a contact in the roster (seems not to segfault for every contact so you might have to try several contacts)

Environment

• Debian Testing

profanity -v
Profanity, version 0.12.1dev.master.9605334d
Copyright (C) 2012 - 2019 James Booth <boothj5web@gmail.com>.
Copyright (C) 2019 - 2022 Michael Vetter <jubalh@iodoru.org>.
License GPLv3+: GNU GPL version 3 or later <https://www.gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Build information:
XMPP library: libstrophe
Desktop notification support: Enabled
OTR support: Enabled (libotr 4.1.1)
PGP support: Enabled (libgpgme 1.17.1)
OMEMO support: Enabled
C plugins: Enabled
Python plugins: Disabled
GTK icons/clipboard: Disabled
GDK Pixbuf: Enabled

[jubalh]

Can't reproduce this.
Tried with both jpeg and webp avatars. In both cases it opens fine.

[jubalh]

@mdosch had the opener set to xdg-open, and an invalid desktop file laying around.
Resulting in xdg-open returning an permission denied.

We were wrongly using the same GError twice.