Details
-
Bug
-
Resolution: Done
-
P2: Important
-
5.3.0
-
None
-
openSUSE Linux 13.1
Qt 5.3.0
-
247607a1af0253576b3330075fdcbb3d5c4cca00
Description
When built with clang's address sanitizer a buffer overflow in QTranslator can be seen, depending on the respective string data. E.g.:
==21091==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7ffff600c010 at pc 0x41a324 bp 0x7fffffff5820 sp 0x7fffffff57e8 READ of size 22 at 0x7ffff600c010 thread T0 #0 0x41a323 in memcmp /home/abuild/rpmbuild/BUILD/llvm-3.3/projects/compiler-rt/lib/asan/asan_interceptors.cc:283 #1 0x7ffff26eb4ac in match(unsigned char const*, char const*, unsigned int) (/opt/Qt/lib/libQt5Core.so.5+0x3234ac) #2 0x7ffff26edea5 in getMessage(unsigned char const*, unsigned char const*, char const*, char const*, char const*, unsigned int) (/opt/Qt/lib/libQt5Core.so.5+0x325ea5) #3 0x7ffff26ee4bc in QTranslatorPrivate::do_translate(char const*, char const*, char const*, int) const (/opt/Qt/lib/libQt5Core.so.5+0x3264bc) #4 0x7ffff26ee94d in QTranslator::translate(char const*, char const*, char const*, int) const (/opt/Qt/lib/libQt5Core.so.5+0x32694d) #5 0x7ffff269f892 in QCoreApplication::translate(char const*, char const*, char const*, int) (/opt/Qt/lib/libQt5Core.so.5+0x2d7892) #6 0x7ffff5d57c46 in Ui_BookmarksWidget::retranslateUi(QWidget*) /home/weinhold/workspace/build-AutentApp2-Clang_Debug-Default/src/gui/ui_BookmarksWidget.h:91 #7 0x7ffff5d41a80 in Ui_BookmarksWidget::setupUi(QWidget*) /home/weinhold/workspace/build-AutentApp2-Clang_Debug-Default/src/gui/ui_BookmarksWidget.h:84 [...] 0x7ffff600c010 is located 48 bytes to the left of global variable '.str29' from '/home/weinhold/.ccache/tmp/BookmarksW.tmp.linux-hcxu.site.18276.ii' (0x7ffff600c040) of size 5 '.str29' is ascii string 'Form' 0x7ffff600c010 is located 0 bytes to the right of global variable '.str28' from '/home/weinhold/.ccache/tmp/BookmarksW.tmp.linux-hcxu.site.18276.ii' (0x7ffff600c000) of size 16 '.str28' is ascii string 'BookmarksWidget' SUMMARY: AddressSanitizer: global-buffer-overflow /home/abuild/rpmbuild/BUILD/llvm-3.3/projects/compiler-rt/lib/asan/asan_interceptors.cc:283 memcmp
Stepping with a debugger into the match() function I get the following stack trace:
#0 match (found=0x7fffe4463413 "QPrintPropertiesWidget\001\003", target=0x7ffff600c000 "BookmarksWidget", len=22) at kernel/qtranslator.cpp:101 No locals. #1 0x00007ffff26edea6 in getMessage (m=0x7fffe4463413 "QPrintPropertiesWidget\001\003", end=0x7fffe4473eb2 "\210", context=0x7ffff600c000 "BookmarksWidget", sourceText=0x7ffff600c040 "Form", comment=0x7ffff282af2c "", numerus=4294967295) at kernel/qtranslator.cpp:923 len = 22 tag = 7 '\a' tn = 0x7fffe44633f0 "" tn_length = 16 str = {static null = {<No data fields>}, d = 0x7ffff7fbb7c8} #2 0x00007ffff26ee4bd in QTranslatorPrivate::do_translate (this=0x611000030740, context=0x7ffff600c000 "BookmarksWidget", sourceText=0x7ffff600c040 "Form", comment=0x7ffff282af2c "", n=-1) at kernel/qtranslator.cpp:1032 rh = 317069 ro = 83633 tn = {static null = {<No data fields>}, d = 0x7ffff27793e0 <QArrayData::shared_null>} h = 317069 start = 0x7fffe444c2e5 "" end = 0x7fffe444c5a5 "" numerus = 0 numItems = 1444 #3 0x00007ffff26ee94e in QTranslator::translate (this=0x60200001f270, context=0x7ffff600c000 "BookmarksWidget", sourceText=0x7ffff600c040 "Form", disambiguation=0x0, n=-1) at kernel/qtranslator.cpp:1109 d = 0x611000030740 #4 0x00007ffff269f893 in QCoreApplication::translate (context=0x7ffff600c000 "BookmarksWidget", sourceText=0x7ffff600c040 "Form", disambiguation=0x0, n=-1) at kernel/qcoreapplication.cpp:1899 it = {i = 0x606000020560} translationFile = 0x60200001f270 result = {static null = {<No data fields>}, d = 0x7ffff27793e0 <QArrayData::shared_null>} #5 0x00007ffff5d57c47 in Ui_BookmarksWidget::retranslateUi (this=0x606000032b40, BookmarksWidget=0x60b00002fcc0) at /home/weinhold/workspace/build-AutentApp2-Clang_Debug-Default/src/gui/ui_BookmarksWidget.h:91 No locals. #6 0x00007ffff5d41a81 in Ui_BookmarksWidget::setupUi (this=0x606000032b40, BookmarksWidget=0x60b00002fcc0) at /home/weinhold/workspace/build-AutentApp2-Clang_Debug-Default/src/gui/ui_BookmarksWidget.h:84 No locals.
match() is invoked with len = 22 and target = "BookmarksWidget" which is only 16 bytes long including the terminating null char. Therefore the memcmp() reads past the end of the string. The memcmp() should be replaced by a strncmp() to remedy the issue.