Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-39757

QTranslator: match() buffer overflow

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • P2: Important
    • 5.4.1
    • 5.3.0
    • Core: Locales (i18n)
    • None
    • openSUSE Linux 13.1
      Qt 5.3.0
    • 247607a1af0253576b3330075fdcbb3d5c4cca00

    Description

      When built with clang's address sanitizer a buffer overflow in QTranslator can be seen, depending on the respective string data. E.g.:

      ==21091==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7ffff600c010 at pc 0x41a324 bp 0x7fffffff5820 sp 0x7fffffff57e8
READ of size 22 at 0x7ffff600c010 thread T0
    #0 0x41a323 in memcmp /home/abuild/rpmbuild/BUILD/llvm-3.3/projects/compiler-rt/lib/asan/asan_interceptors.cc:283
    #1 0x7ffff26eb4ac in match(unsigned char const*, char const*, unsigned int) (/opt/Qt/lib/libQt5Core.so.5+0x3234ac)
    #2 0x7ffff26edea5 in getMessage(unsigned char const*, unsigned char const*, char const*, char const*, char const*, unsigned int) (/opt/Qt/lib/libQt5Core.so.5+0x325ea5)
    #3 0x7ffff26ee4bc in QTranslatorPrivate::do_translate(char const*, char const*, char const*, int) const (/opt/Qt/lib/libQt5Core.so.5+0x3264bc)
    #4 0x7ffff26ee94d in QTranslator::translate(char const*, char const*, char const*, int) const (/opt/Qt/lib/libQt5Core.so.5+0x32694d)
    #5 0x7ffff269f892 in QCoreApplication::translate(char const*, char const*, char const*, int) (/opt/Qt/lib/libQt5Core.so.5+0x2d7892)
    #6 0x7ffff5d57c46 in Ui_BookmarksWidget::retranslateUi(QWidget*) /home/weinhold/workspace/build-AutentApp2-Clang_Debug-Default/src/gui/ui_BookmarksWidget.h:91
    #7 0x7ffff5d41a80 in Ui_BookmarksWidget::setupUi(QWidget*) /home/weinhold/workspace/build-AutentApp2-Clang_Debug-Default/src/gui/ui_BookmarksWidget.h:84
[...]
0x7ffff600c010 is located 48 bytes to the left of global variable '.str29' from '/home/weinhold/.ccache/tmp/BookmarksW.tmp.linux-hcxu.site.18276.ii' (0x7ffff600c040) of size 5
  '.str29' is ascii string 'Form'
0x7ffff600c010 is located 0 bytes to the right of global variable '.str28' from '/home/weinhold/.ccache/tmp/BookmarksW.tmp.linux-hcxu.site.18276.ii' (0x7ffff600c000) of size 16
  '.str28' is ascii string 'BookmarksWidget'
SUMMARY: AddressSanitizer: global-buffer-overflow /home/abuild/rpmbuild/BUILD/llvm-3.3/projects/compiler-rt/lib/asan/asan_interceptors.cc:283 memcmp

      Stepping with a debugger into the match() function I get the following stack trace:

      #0  match (found=0x7fffe4463413 "QPrintPropertiesWidget\001\003", target=0x7ffff600c000 "BookmarksWidget", len=22) at kernel/qtranslator.cpp:101
No locals.
#1  0x00007ffff26edea6 in getMessage (m=0x7fffe4463413 "QPrintPropertiesWidget\001\003", end=0x7fffe4473eb2 "\210", context=0x7ffff600c000 "BookmarksWidget", sourceText=0x7ffff600c040 "Form", comment=0x7ffff282af2c "", numerus=4294967295) at kernel/qtranslator.cpp:923
        len = 22
        tag = 7 '\a'
        tn = 0x7fffe44633f0 ""
        tn_length = 16
        str = {static null = {<No data fields>}, d = 0x7ffff7fbb7c8}
#2  0x00007ffff26ee4bd in QTranslatorPrivate::do_translate (this=0x611000030740, context=0x7ffff600c000 "BookmarksWidget", sourceText=0x7ffff600c040 "Form", comment=0x7ffff282af2c "", n=-1) at kernel/qtranslator.cpp:1032
        rh = 317069
        ro = 83633
        tn = {static null = {<No data fields>}, d = 0x7ffff27793e0 <QArrayData::shared_null>}
        h = 317069
        start = 0x7fffe444c2e5 ""
        end = 0x7fffe444c5a5 ""
        numerus = 0
        numItems = 1444
#3  0x00007ffff26ee94e in QTranslator::translate (this=0x60200001f270, context=0x7ffff600c000 "BookmarksWidget", sourceText=0x7ffff600c040 "Form", disambiguation=0x0, n=-1) at kernel/qtranslator.cpp:1109
        d = 0x611000030740
#4  0x00007ffff269f893 in QCoreApplication::translate (context=0x7ffff600c000 "BookmarksWidget", sourceText=0x7ffff600c040 "Form", disambiguation=0x0, n=-1) at kernel/qcoreapplication.cpp:1899
        it = {i = 0x606000020560}
        translationFile = 0x60200001f270
        result = {static null = {<No data fields>}, d = 0x7ffff27793e0 <QArrayData::shared_null>}
#5  0x00007ffff5d57c47 in Ui_BookmarksWidget::retranslateUi (this=0x606000032b40, BookmarksWidget=0x60b00002fcc0) at /home/weinhold/workspace/build-AutentApp2-Clang_Debug-Default/src/gui/ui_BookmarksWidget.h:91
No locals.
#6  0x00007ffff5d41a81 in Ui_BookmarksWidget::setupUi (this=0x606000032b40, BookmarksWidget=0x60b00002fcc0) at /home/weinhold/workspace/build-AutentApp2-Clang_Debug-Default/src/gui/ui_BookmarksWidget.h:84
No locals.

      match() is invoked with len = 22 and target = "BookmarksWidget" which is only 16 bytes long including the terminating null char. Therefore the memcmp() reads past the end of the string. The memcmp() should be replaced by a strncmp() to remedy the issue.

      Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          People

            tsdgeos Albert Astals Cid
            bonefish Ingo Weinhold
            Votes:
            1 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes