Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Done
Priority: P2: Important
Fix Version/s: 5.6.0 RC
Affects Version/s: 5.3.2, 5.4.1
Component/s: Build tools: qdoc
Labels:
None
Environment:
OpenBSD/amd64-CURRENT

Commits:
fd4f9867ee07d80f04eec6bf789a96b636c00bba

Description

In line 3381 of htmlgenerator.cpp, the QStringRef() object is created without a check that "src" really contains i+tag.length() characters. This would not cause problems in char-by-char comparision, as the strings are NUL-terminated; but ucstrncmp() implementation uses SSE (or whatever) instructions to load many bytes at once, resulting in accessing data past the ending NUL. This, obviously, could result in a crash.

On OpenBSD, malloc() tries to expose such bugs by putting small allocations near the end of allocated memory page. I suspect this is the reason the bug wasn't found earlier on other OSes.

The attached patch resolves the issue.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List

patch-htmlgenerator_cpp
0.7 kB
16 Apr '15 18:33

Gerrit Reviews

- Issue Only
- Show All Reviews
- Show Open Reviews
- Show All Issues
- Show Open Issues

For Gerrit Dashboard: QTBUG-45643
#	Subject	Branch	Project	Status	CR	V
113202,5	qdoc: fix invalid memory access in HtmlGenerator	dev	qt/qtbase	Status: MERGED	+2	0

Activity

People

Assignee:: Martin Smith (Qt)

Reporter:: Vadim Zhukov

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 16 Apr '15 18:33

Updated:: 16 Feb '16 10:12

Resolved:: 28 May '15 09:25

Gerrit Reviews

There are no open Gerrit changes

Show There is 1 closed Gerrit change

Hide There is 1 closed Gerrit change

qdoc: fix invalid memory access in HtmlGenerator: Gerrit Review: