Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-90347

Heap corruption in WebEngineLibraryInfo::isRemoteDrivePath

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • P1: Critical
    • 5.15.4
    • 5.15.2
    • WebEngine
    • None
    • Windows
    • 3fb215dab139fd7b61473ce3fe1058b87a6b4fe3 (qt/qtwebengine/dev) 9841acdec527749c37f845c5dc6a94a1a4ab3357 (qt/qtwebengine/5.15)

    Description

      There is a heap corruption in WebEngineLibraryInfo::isRemoteDrivePath() (qtwebengine\src\core\web_engine_library_info.cpp @ 368)

      The original code allocates a wide-string buffer and tries to copy a 3 characters long string into it, but there is no room for the null-terminator character, therefore it can corrupt the heap. (Which is the case with our application that constantly crashes in the destructor of the temporary std::string created by toStdString()):

          WCHAR wDriveLetter[3];
    swprintf(wDriveLetter, L"%S", path.mid(0, 3).toStdString().c_str());

      The proposed fix which has been tested and proven to be working is like this:

          WCHAR wDriveLetter[4] = { 0 };
    swprintf(wDriveLetter, L"%S", path.mid(0, 3).toStdString().c_str());

      This makes enough room for the drive letter (e.g. "C:/").

      The bug is easy to fix but requires rebuilding the library. There is a workaround if sandboxing is disabled which causes the code path to skip calling this function, but it can cause other security-related problems.

      The commit which introduced the function: https://code.qt.io/cgit/qt/qtwebengine.git/commit/?id=f51f50c22e770e1ab20ecccc8a32906e4014caed

      The relevant stack trace from our application:

       	Qt5WebEngineCore_x64d.dll!std::_Container_base12::_Orphan_all() Line 1211	C++
 	Qt5WebEngineCore_x64d.dll!std::string::_Tidy_deallocate() Line 4300	C++
 	Qt5WebEngineCore_x64d.dll!std::string::~basic_string() Line 2723	C++
 	Qt5WebEngineCore_x64d.dll!WebEngineLibraryInfo::isRemoteDrivePath(const QString & path) Line 371	C++
 	Qt5WebEngineCore_x64d.dll!`anonymous namespace'::subProcessPath() Line 188	C++
 	Qt5WebEngineCore_x64d.dll!WebEngineLibraryInfo::getPath(int key) Line 315	C++
 	Qt5WebEngineCore_x64d.dll!QtWebEngineCore::WebEngineContext::WebEngineContext() Line 581	C++
 	Qt5WebEngineCore_x64d.dll!QtWebEngineCore::WebEngineContext::current() Line 433	C++
 	Qt5WebEngineCore_x64d.dll!QtWebEngineCore::WebContentsAdapter::WebContentsAdapter() Line 456	C++
 	Qt5WebEngineWidgets_x64d.dll!QSharedPointer<QtWebEngineCore::WebContentsAdapter>::create<>() Line 439	C++
 	Qt5WebEngineWidgets_x64d.dll!QWebEnginePagePrivate::QWebEnginePagePrivate(QWebEngineProfile * _profile) Line 148	C++
 	Qt5WebEngineWidgets_x64d.dll!QWebEnginePage::QWebEnginePage(QObject * parent) Line 782	C++

      And the exception:

      Exception thrown at 0x00007FFEE32964F7 (Qt5WebEngineCore_x64d.dll) in <exe>: 0xC0000005: Access violation reading location 0xFFFFFFFFFFFFFFFF.

      Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          People

            qt_webengine_team Qt WebEngine Team
            tomikaa87qt Tamas Karpati
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes