Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-45643

qtdoc invalid memory access in HtmlGenerator::highlightedCode()

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • P2: Important
    • 5.6.0 RC
    • 5.3.2, 5.4.1
    • Build tools: qdoc
    • None
    • OpenBSD/amd64-CURRENT
    • fd4f9867ee07d80f04eec6bf789a96b636c00bba

    Description

      In line 3381 of htmlgenerator.cpp, the QStringRef() object is created without a check that "src" really contains i+tag.length() characters. This would not cause problems in char-by-char comparision, as the strings are NUL-terminated; but ucstrncmp() implementation uses SSE (or whatever) instructions to load many bytes at once, resulting in accessing data past the ending NUL. This, obviously, could result in a crash.

      On OpenBSD, malloc() tries to expose such bugs by putting small allocations near the end of allocated memory page. I suspect this is the reason the bug wasn't found earlier on other OSes.

      The attached patch resolves the issue.

      Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          People

            gbk Martin Smith (Qt)
            pers Vadim Zhukov
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes