pyrdp cacheGlyph Segmentation fault

class GlyphEntry:
    """Glyph cache entry."""

    def __init__(self, glyph: Glyph):
        """Construct a cache entry from a glyph."""

        # Glyph origin.
        self.x = glyph.x
        self.y = glyph.y
        self.w = glyph.w
        self.h = glyph.h
        print("=======================================")
        print(QSize(self.w, self.h), glyph.data, QImage.Format_Mono)
        self.bitmap = QBitmap.fromData(QSize(self.w, self.h), glyph.data, QImage.Format_Mono)

EBUG:pyrdp.player.gdi.draw:<CreateOffscreenBitmap 72x313 Id=0 Del=0>
DEBUG:pyrdp.player.gdi.draw:<SwitchSurface Id=0>
DEBUG:pyrdp.player.gdi.draw:<CreateOffscreenBitmap 1920x36 Id=0 Del=0>
DEBUG:pyrdp.player.gdi.draw:<SwitchSurface Id=0>
DEBUG:pyrdp.player.gdi.draw:<SwitchSurface Id=65535>
DEBUG:pyrdp.player.gdi.draw:<pyrdp.parser.rdp.orders.secondary.CacheGlyph object at 0x7fff8e84f828>
=======================================
PySide2.QtCore.QSize(6, 8) b'\xfc\xfc\xfcxxxxx' PySide2.QtGui.QImage.Format.Format_Mono

**Program received signal SIGSEGV, Segmentation fault.
0x00007fff9f8bd458 in makeBitmap(QImage&&, QFlags<Qt::ImageConversionFlag>) [clone .constprop.3] () from** /usr/local/lib64/python3.6/site-packages/PySide2/Qt/lib/libQt5Gui.so.5
(gdb) bt
#0  0x00007fff9f8bd458 in makeBitmap(QImage&&, QFlags<Qt::ImageConversionFlag>) [clone .constprop.3] () from /usr/local/lib64/python3.6/site-packages/PySide2/Qt/lib/libQt5Gui.so.5
#1  0x00007fff9f8bd56b in QBitmap::fromImage(QImage&&, QFlags<Qt::ImageConversionFlag>) () from /usr/local/lib64/python3.6/site-packages/PySide2/Qt/lib/libQt5Gui.so.5
#2  0x00007fff9f8bd811 in QBitmap::fromData(QSize const&, unsigned char const*, QImage::Format) () from /usr/local/lib64/python3.6/site-packages/PySide2/Qt/lib/libQt5Gui.so.5
#3  0x00007fff9dfe5da5 in Sbk_QBitmapFunc_fromData () from /usr/local/lib64/python3.6/site-packages/PySide2/QtGui.abi3.so
#4  0x00007ffff79997e7 in _PyCFunction_FastCallDict () from /lib64/libpython3.6m.so.1.0
#5  0x00007ffff7a0514f in call_function () from /lib64/libpython3.6m.so.1.0
#6  0x00007ffff79f9a17 in _PyEval_EvalFrameDefault () from /lib64/libpython3.6m.so.1.0
#7  0x00007ffff7a0626a in _PyFunction_FastCallDict () from /lib64/libpython3.6m.so.1.0
#8  0x00007ffff795bd9e in _PyObject_FastCallDict () from /lib64/libpython3.6m.so.1.0
#9  0x00007ffff795beb1 in _PyObject_Call_Prepend () from /lib64/libpython3.6m.so.1.0
#10 0x00007ffff795bb23 in PyObject_Call () from /lib64/libpython3.6m.so.1.0
#11 0x00007ffff79aec75 in slot_tp_init () from /lib64/libpython3.6m.so.1.0
#12 0x00007ffff79ab632 in type_call () from /lib64/libpython3.6m.so.1.0
#13 0x00007ffff795bd20 in _PyObject_FastCallDict () from /lib64/libpython3.6m.so.1.0
#14 0x00007ffff7a052fc in call_function () from /lib64/libpython3.6m.so.1.0
#15 0x00007ffff79f9a17 in _PyEval_EvalFrameDefault () from /lib64/libpython3.6m.so.1.0
#16 0x00007ffff7a04f3a in fast_function () from /lib64/libpython3.6m.so.1.0
#17 0x00007ffff7a05273 in call_function () from /lib64/libpython3.6m.so.1.0
#18 0x00007ffff79f9a17 in _PyEval_EvalFrameDefault () from /lib64/libpython3.6m.so.1.0
#19 0x00007ffff7a04f3a in fast_function () from /lib64/libpython3.6m.so.1.0
#20 0x00007ffff7a05273 in call_function () from /lib64/libpython3.6m.so.1.0
#21 0x00007ffff79f9a17 in _PyEval_EvalFrameDefault () from /lib64/libpython3.6m.so.1.0
#22 0x00007ffff7a04f3a in fast_function () from /lib64/libpython3.6m.so.1.0
#23 0x00007ffff7a05273 in call_function () from /lib64/libpython3.6m.so.1.0
#24 0x00007ffff79f9a17 in _PyEval_EvalFrameDefault () from /lib64/libpython3.6m.so.1.0
#25 0x00007ffff7a04f3a in fast_function () from /lib64/libpython3.6m.so.1.0
#26 0x00007ffff7a05273 in call_function () from /lib64/libpython3.6m.so.1.0
#27 0x00007ffff79f9a17 in _PyEval_EvalFrameDefault () from /lib64/libpython3.6m.so.1.0
#28 0x00007ffff7a04f3a in fast_function () from /lib64/libpython3.6m.so.1.0
#29 0x00007ffff7a05273 in call_function () from /lib64/libpython3.6m.so.1.0
#30 0x00007ffff79f9a17 in _PyEval_EvalFrameDefault () from /lib64/libpython3.6m.so.1.0
#31 0x00007ffff7a04f3a in fast_function () from /lib64/libpython3.6m.so.1.0
#32 0x00007ffff7a05273 in call_function () from /lib64/libpython3.6m.so.1.0
#33 0x00007ffff79f9a17 in _PyEval_EvalFrameDefault () from /lib64/libpython3.6m.so.1.0
#34 0x00007ffff7a04f3a in fast_function () from /lib64/libpython3.6m.so.1.0
#35 0x00007ffff7a05273 in call_function () from /lib64/libpython3.6m.so.1.0
#36 0x00007ffff79f9a17 in _PyEval_EvalFrameDefault () from /lib64/libpython3.6m.so.1.0
#37 0x00007ffff7a04f3a in fast_function () from /lib64/libpython3.6m.so.1.0
#38 0x00007ffff7a05273 in call_function () from /lib64/libpython3.6m.so.1.0
#39 0x00007ffff79f9a17 in _PyEval_EvalFrameDefault () from /lib64/libpython3.6m.so.1.0
#40 0x00007ffff7a044f9 in _PyEval_EvalCodeWithName () from /lib64/libpython3.6m.so.1.0
#41 0x00007ffff7a04fea in fast_function () from /lib64/libpython3.6m.so.1.0
#42 0x00007ffff7a05273 in call_function () from /lib64/libpython3.6m.so.1.0
#43 0x00007ffff79f9a17 in _PyEval_EvalFrameDefault () from /lib64/libpython3.6m.so.1.0
#44 0x00007ffff7a04f3a in fast_function () from /lib64/libpython3.6m.so.1.0
#45 0x00007ffff7a05273 in call_function () from /lib64/libpython3.6m.so.1.0
#46 0x00007ffff79f9a17 in _PyEval_EvalFrameDefault () from /lib64/libpython3.6m.so.1.0
#47 0x00007ffff7a055ed in PyEval_EvalCodeEx () from /lib64/libpython3.6m.so.1.0
#48 0x00007ffff7a0610b in PyEval_EvalCode () from /lib64/libpython3.6m.so.1.0
#49 0x00007ffff7a8e53e in run_mod () from /lib64/libpython3.6m.so.1.0
#50 0x00007ffff793ab0d in PyRun_FileExFlags () from /lib64/libpython3.6m.so.1.0
#51 0x00007ffff793aedf in PyRun_SimpleFileExFlags () from /lib64/libpython3.6m.so.1.0
#52 0x00007ffff7a94a32 in Py_Main () from /lib64/libpython3.6m.so.1.0
#53 0x0000000000400ab9 in main ()
(gdb)

Dec 27 '21 02:12 lls115

Thanks for your report.

The segfault appears to be in QT. That said maybe we are passing bad stuff to it.

Need more information:

Which RDP client (OS, version)
Which RDP server (OS, version)
Command line used to generate the bug
Can you provide a pcap that reproduces the issue?

Dec 27 '21 06:12 obilodeau

i = QImage(glyph.data, self.w, self.h, QImage.Format_Mono)
self.bitmap = QPixmap.fromImageInPlace(i)
#self.bitmap = QBitmap.fromData(QSize(self.w, self.h), glyph.data, QImage.Format_Mono)

With the above code ，get an error "QPixmap: Must construct a QGuiApplication before a QPixmap"

so add "app = QApplication(sys.argv)" in main(), The problem is resolved. also with

#i = QImage(glyph.data, self.w, self.h, QImage.Format_Mono)
#self.bitmap = QPixmap.fromImageInPlace(i)
self.bitmap = QBitmap.fromData(QSize(self.w, self.h), glyph.data, QImage.Format_Mono)

Dec 27 '21 06:12 lls115

i = QImage(glyph.data, self.w, self.h, QImage.Format_Mono)
self.bitmap = QPixmap.fromImageInPlace(i)
#self.bitmap = QBitmap.fromData(QSize(self.w, self.h), glyph.data, QImage.Format_Mono)
With the above code ，get an error "QPixmap: Must construct a QGuiApplication before a QPixmap"

so add "app = QApplication(sys.argv)" in main(), The problem is resolved. also with
#i = QImage(glyph.data, self.w, self.h, QImage.Format_Mono)
#self.bitmap = QPixmap.fromImageInPlace(i)
self.bitmap = QBitmap.fromData(QSize(self.w, self.h), glyph.data, QImage.Format_Mono)

Thank you

Dec 27 '21 10:12 securityRoad

I investigated this a little bit more today and I'm not willing to blindly integrate the suggested fix without context.

Python version
PySide version
Steps to reproduce

Thanks

Jan 07 '22 18:01 obilodeau

I think I can finally reproduce this bug here with the replay file provided in #428

Dec 19 '22 22:12 obilodeau

Likely fixed with #429. Please re-open if its not the case.

Dec 20 '22 21:12 obilodeau