Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-28324

Possible segfault in QRasterPaintEnginePrivate::drawImage()

    XMLWordPrintable

Details

    • 52619ae7787b3c4febb73a02afa623b12edabc97

    Description

      Many gui/widget unit test crashes due to this buffer overflow in qt_blend_argb32_on_argb32_ssse3.

      ==27512== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f43dd73da20 at pc 0x7f43fec8718b bp 0x7fff10f6d490 sp 0x7fff10f6d488

READ of size 16 at 0x7f43dd73da20 thread T0
    #0 0x7f43fec8718a in qt_blend_argb32_on_argb32_ssse3(unsigned char*, int, unsigned char const*, int, int, int, int) qdrawhelper_ssse3.cpp:159
    #1 0x7f43fff7be29 in QRasterPaintEnginePrivate::drawImage(QPointF const&, QImage const&, void (*)(unsigned char*, int, unsigned char const*, int, int, int, int), QRect const&, int, QRect const&) qpaintengine_raster.cpp:1047
    #2 0x7f43fffb1fdf in QRasterPaintEngine::drawImage(QPointF const&, QImage const&) qpaintengine_raster.cpp:2163
    #3 0x7f43fffaa837 in QRasterPaintEngine::drawPixmap(QPointF const&, QPixmap const&) qpaintengine_raster.cpp:2049
    #4 0x7f44000776c3 in QPainter::drawPixmap(QPointF const&, QPixmap const&) qpainter.cpp:5047
    #5 0x7f44017c6b96 in QPainter::drawPixmap(QPoint const&, QPixmap const&) qpainter.h:778
    #6 0x7f4401d7143e in QGtk2Painter::paintFocus(_GtkWidget*, char const*, QRect const&, GtkStateType, _GtkStyle*, QString const&) qgtk2painter.cpp:449
    #7 0x7f4401d25fc9 in QGtkStyle::drawControl(QStyle::ControlElement, QStyleOption const*, QPainter*, QWidget const*) const qgtkstyle.cpp:3393
    #8 0x7f4401f3fe23 in QStylePainter::drawControl(QStyle::ControlElement, QStyleOption const&) qstylepainter.h:88
    #9 0x7f44023b0ae8 in QPushButton::paintEvent(QPaintEvent*) qpushbutton.cpp:457
    #10 0x7f440178edec in QWidget::event(QEvent*) qwidget.cpp:7990
    #11 0x7f4401e63939 in QAbstractButton::event(QEvent*) qabstractbutton.cpp:1081
    #12 0x7f44023b4b65 in QPushButton::event(QEvent*) qpushbutton.cpp:681
    #13 0x7f440150127a in QApplicationPrivate::notify_helper(QObject*, QEvent*) qapplication.cpp:3352
    #14 0x7f440151a99c in QApplication::notify(QObject*, QEvent*) qapplication.cpp:3317
    #15 0x7f43fdb906a0 in QCoreApplication::notifyInternal(QObject*, QEvent*) qcoreapplication.cpp:767
    #16 0x7f44015346de in QCoreApplication::sendSpontaneousEvent(QObject*, QEvent*) qcoreapplication.h:206
    #17 0x7f4401764022 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) qwidget.cpp:5094
    #18 0x7f4401767d58 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) qwidget.cpp:5287
    #19 0x7f44017651e0 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) qwidget.cpp:5143
    #20 0x7f4401767d58 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) qwidget.cpp:5287
    #21 0x7f44017651e0 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) qwidget.cpp:5143
    #22 0x7f440159d7d4 in QWidgetBackingStore::sync() qwidgetbackingstore.cpp:1090
    #23 0x7f4401724413 in QWidgetPrivate::syncBackingStore() qwidget.cpp:1663
    #24 0x7f4401790815 in QWidget::event(QEvent*) qwidget.cpp:8128
    #25 0x7f4402859544 in QMessageBox::event(QEvent*) qmessagebox.cpp:1232
    #26 0x7f440150127a in QApplicationPrivate::notify_helper(QObject*, QEvent*) qapplication.cpp:3352
    #27 0x7f440151a99c in QApplication::notify(QObject*, QEvent*) qapplication.cpp:3317
    #28 0x7f43fdb906a0 in QCoreApplication::notifyInternal(QObject*, QEvent*) qcoreapplication.cpp:767
    #29 0x7f43fdbacd59 in QCoreApplication::sendEvent(QObject*, QEvent*) qcoreapplication.h:203
    #30 0x7f43fdb998ce in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) qcoreapplication.cpp:1368
    #31 0x7f43fdb94620 in QCoreApplication::sendPostedEvents(QObject*, int) qcoreapplication.cpp:1228
    #32 0x7f43fdffd31b in postEventSourceDispatch(_GSource*, int (*)(void*), void*) qeventdispatcher_glib.cpp:278
    #33 0x7f43fb414d52 in ?? ??:0
0x7f43dd73da20 is located 0 bytes to the right of 6636-byte region [0x7f43dd73c040,0x7f43dd73da2c)

allocated by thread T0 here:
    #0 0x44896a in __interceptor_malloc _asan_rtl_
    #1 0x7f43ff060d76 in QImageData::create(QSize const&, QImage::Format, int) qimage.cpp:169
    #2 0x7f43ff063f48 in QImage qimage.cpp:743
    #3 0x7f43ff06997e in QImage::copy(QRect const&) const qimage.cpp:1114
    #4 0x7f4401d5e8f3 in QGtk2Painter::renderTheme(unsigned char*, unsigned char*, QRect const&) const qgtk2painter.cpp:162
    #5 0x7f4401d710da in QGtk2Painter::paintFocus(_GtkWidget*, char const*, QRect const&, GtkStateType, _GtkStyle*, QString const&) qgtk2painter.cpp:439
    #6 0x7f4401d25fc9 in QGtkStyle::drawControl(QStyle::ControlElement, QStyleOption const*, QPainter*, QWidget const*) const qgtkstyle.cpp:3393
    #7 0x7f4401f3fe23 in QStylePainter::drawControl(QStyle::ControlElement, QStyleOption const&) qstylepainter.h:88
    #8 0x7f44023b0ae8 in QPushButton::paintEvent(QPaintEvent*) qpushbutton.cpp:457

Shadow byte and word:
  0x1fe87bae7b44: 0
  0x1fe87bae7b40: 00 00 00 00 00 04 fb fb
More shadow bytes:
  0x1fe87bae7b20: 00 00 00 00 00 00 00 00
  0x1fe87bae7b28: 00 00 00 00 00 00 00 00
  0x1fe87bae7b30: 00 00 00 00 00 00 00 00
  0x1fe87bae7b38: 00 00 00 00 00 00 00 00
=>0x1fe87bae7b40: 00 00 00 00 00 04 fb fb
  0x1fe87bae7b48: fa fa fa fa fa fa fa fa
  0x1fe87bae7b50: fa fa fa fa fa fa fa fa
  0x1fe87bae7b58: fa fa fa fa fa fa fa fa
  0x1fe87bae7b60: fa fa fa fa fa fa fa fa
Stats: 20M malloced (24M for red zones) by 108601 calls
Stats: 1M realloced by 17554 calls
Stats: 8M freed by 72209 calls
Stats: 0M really freed by 0 calls
Stats: 47M (12195 full pages) mmaped in 77 calls
  mmaps   by size class: 7:94185; 8:14329; 9:3069; 10:2044; 11:1275; 12:768; 13:256; 14:256; 15:32; 16:80; 17:4; 20:3; 23:1;
  mallocs by size class: 7:89139; 8:12901; 9:2593; 10:1545; 11:1165; 12:667; 13:237; 14:246; 15:25; 16:78; 17:1; 20:3; 23:1;
  frees   by size class: 7:61353; 8:6900; 9:1960; 10:999; 11:514; 12:182; 13:68; 14:156; 15:2; 16:75;
  rfrees  by size class:
Stats: malloc large: 108 small slow: 903
==27512== ABORTING

      Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          People

            rodal Samuel Rødal
            syntheticpp Peter Kümmel
            Votes:
            1 Vote for this issue
            Watchers:
            8 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes