Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-120331

rendering svg causes int overflows in blend_vertical_gradient_argb

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • P1: Critical
    • 6.7.1, 6.8.0 FF
    • 6.2.0, dev
    • SVG Support
    • Ubuntu 22.04 LTS
      clang 14.0.0
    • ade33a914 (dev), f02ccd86c (6.7)

    Description

      1. Have a build of Qt configured with "-sanitize undefined".
      2. Build the attached project with that.
      3. Run the resulting binary with the attached svg file as parameter.
        The sanitizer will show overflows: 
        /home/qtrob/dev/src/qt-dev_12.21-base_imageformats_svg/qtbase/src/gui/painting/qdrawhelper.cpp:4993:19: runtime error: 6,4521e+09 is outside the range of representable values of type 'int'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/qtrob/dev/src/qt-dev_12.21-base_imageformats_svg/qtbase/src/gui/painting/qdrawhelper.cpp:4993:19 in 
/home/qtrob/dev/src/qt-dev_12.21-base_imageformats_svg/qtbase/src/gui/painting/qdrawhelper.cpp:5001:59: runtime error: signed integer overflow: -27763137 * 232 cannot be represented in type 'int'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/qtrob/dev/src/qt-dev_12.21-base_imageformats_svg/qtbase/src/gui/painting/qdrawhelper.cpp:5001:59 in 
/home/qtrob/dev/src/qt-dev_12.21-base_imageformats_svg/qtbase/src/gui/painting/qdrawhelper.cpp:5001:63: runtime error: signed integer overflow: -2146080488 + -2147483648 cannot be represented in type 'int'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/qtrob/dev/src/qt-dev_12.21-base_imageformats_svg/qtbase/src/gui/painting/qdrawhelper.cpp:5001:63 i

      Google's oss-fuzz found this as issue 63392. Their report is public. It went to "Verified" state in November but I can still reproduce the issue with Qt's latest sources.

      Attachments

        1. 63392.svg
          0.1 kB
        2. CMakeLists.txt
          0.4 kB
        3. main.cpp
          0.4 kB
        For Gerrit Dashboard: QTBUG-120331
        # Subject Branch Project Status CR V
        556105,1 Avoid overflows in gradient calculations tqtc/lts-6.5 qt/tqtc-qtbase Status: NEW +2 0
        556967,1 fuzzing: Add svg file which triggered integer overflow dev qt/qtqa Status: NEW +1 0
        543578,4 Avoid overflows in gradient calculations dev qt/qtbase Status: MERGED +2 0
        555903,2 Avoid overflows in gradient calculations 6.7 qt/qtbase Status: MERGED +2 0

        Activity

          People

            vgt Eirik Aavitsland
            rlohning Robert Löhning
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are 2 open Gerrit changes