Details
Description
There is a heap corruption in WebEngineLibraryInfo::isRemoteDrivePath() (qtwebengine\src\core\web_engine_library_info.cpp @ 368)
The original code allocates a wide-string buffer and tries to copy a 3 characters long string into it, but there is no room for the null-terminator character, therefore it can corrupt the heap. (Which is the case with our application that constantly crashes in the destructor of the temporary std::string created by toStdString()):
WCHAR wDriveLetter[3];
swprintf(wDriveLetter, L"%S", path.mid(0, 3).toStdString().c_str());
The proposed fix which has been tested and proven to be working is like this:
WCHAR wDriveLetter[4] = { 0 };
swprintf(wDriveLetter, L"%S", path.mid(0, 3).toStdString().c_str());
This makes enough room for the drive letter (e.g. "C:/").
The bug is easy to fix but requires rebuilding the library. There is a workaround if sandboxing is disabled which causes the code path to skip calling this function, but it can cause other security-related problems.
The commit which introduced the function: https://code.qt.io/cgit/qt/qtwebengine.git/commit/?id=f51f50c22e770e1ab20ecccc8a32906e4014caed
The relevant stack trace from our application:
Qt5WebEngineCore_x64d.dll!std::_Container_base12::_Orphan_all() Line 1211 C++ Qt5WebEngineCore_x64d.dll!std::string::_Tidy_deallocate() Line 4300 C++ Qt5WebEngineCore_x64d.dll!std::string::~basic_string() Line 2723 C++ Qt5WebEngineCore_x64d.dll!WebEngineLibraryInfo::isRemoteDrivePath(const QString & path) Line 371 C++ Qt5WebEngineCore_x64d.dll!`anonymous namespace'::subProcessPath() Line 188 C++ Qt5WebEngineCore_x64d.dll!WebEngineLibraryInfo::getPath(int key) Line 315 C++ Qt5WebEngineCore_x64d.dll!QtWebEngineCore::WebEngineContext::WebEngineContext() Line 581 C++ Qt5WebEngineCore_x64d.dll!QtWebEngineCore::WebEngineContext::current() Line 433 C++ Qt5WebEngineCore_x64d.dll!QtWebEngineCore::WebContentsAdapter::WebContentsAdapter() Line 456 C++ Qt5WebEngineWidgets_x64d.dll!QSharedPointer<QtWebEngineCore::WebContentsAdapter>::create<>() Line 439 C++ Qt5WebEngineWidgets_x64d.dll!QWebEnginePagePrivate::QWebEnginePagePrivate(QWebEngineProfile * _profile) Line 148 C++ Qt5WebEngineWidgets_x64d.dll!QWebEnginePage::QWebEnginePage(QObject * parent) Line 782 C++
And the exception:
Exception thrown at 0x00007FFEE32964F7 (Qt5WebEngineCore_x64d.dll) in <exe>: 0xC0000005: Access violation reading location 0xFFFFFFFFFFFFFFFF.