Details
-
Bug
-
Resolution: Done
-
P2: Important
-
5.3.2, 5.4.1
-
None
-
OpenBSD/amd64-CURRENT
-
fd4f9867ee07d80f04eec6bf789a96b636c00bba
Description
In line 3381 of htmlgenerator.cpp, the QStringRef() object is created without a check that "src" really contains i+tag.length() characters. This would not cause problems in char-by-char comparision, as the strings are NUL-terminated; but ucstrncmp() implementation uses SSE (or whatever) instructions to load many bytes at once, resulting in accessing data past the ending NUL. This, obviously, could result in a crash.
On OpenBSD, malloc() tries to expose such bugs by putting small allocations near the end of allocated memory page. I suspect this is the reason the bug wasn't found earlier on other OSes.
The attached patch resolves the issue.