[kate] [Bug 505044] New: kate crashes on malformed LSP server messages (completion item)

Sat, 31 May 2025 01:53:57 -0700 

https://bugs.kde.org/show_bug.cgi?id=505044

            Bug ID: 505044
           Summary: kate crashes on malformed LSP server messages
                    (completion item)
    Classification: Applications
           Product: kate
      Version First 25.04.0
       Reported In:
          Platform: Debian testing
                OS: All
            Status: REPORTED
          Severity: normal
          Priority: NOR
         Component: application
          Assignee: [email protected]
          Reporter: [email protected]
  Target Milestone: ---

Created attachment 181916
  --> https://bugs.kde.org/attachment.cgi?id=181916&action=edit
gdb bt output

SUMMARY
It is possible to trigger an a ASSERT via rapidjson in parseCompletionItem from
 ./addons/lspclient/lspclientserver.cpp (specifically, on this line
https://sources.debian.org/src/kate/4%3A25.04.0-1/addons/lspclient/lspclientserver.cpp/#L779;
I am using the Debian version of kate)


The `FindMember` of rapidjson has as a precondition that the value must be an
object or otherwise it will assert
(https://salsa.debian.org/debian/rapidjson/-/blob/master/include/rapidjson/document.h#L1139).
In other words, it falls to the LSP client plugin to ensure that the value is
an object before calling `FindMember`.

I found this bug while working on a language server. By mistake, I included a
string in a list of completion items (rather than a real CompletionItem object)
and then kate crashed on triggering the completion. I have included the
backtrace from gdb, so you can see the crash call stack enters rapidJson on
FindMember line from the LSP Client code and there it goes to abort.

STEPS TO REPRODUCE
1. Create a LSP server that does not follow the specs and insert a string
rather than a CompletionItem in the list of completion items when asked for
completions
2. Attach the LSP server to an open document in kate
3. Request completion, which will immediately crash kate.

OBSERVED RESULT
The kate editor crashes.

EXPECTED RESULT
The kate editor did not crash. Probably, the user should be notified that the
LSP server produced unsupported or faulty output (presumably in the LSP Output
tab). But preventing the crash would at least avoid the user losing unsaved
changes.


SOFTWARE/OS VERSIONS
Linux/KDE Plasma: Debian trixie
KDE Plasma Version: 6.3.4
KDE Frameworks Version: 5.15
Qt Version: 6.8.2

ADDITIONAL INFORMATION

-- 
You are receiving this mail because:
You are watching all bug changes.

Reply via email to