Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-100217

[REG 6.2.2 -> 6.2.3] Integer overflow when rendering svg image

    XMLWordPrintable

Details

    • 1749388cdc765fca4206aaf0f84ac9b0877dfc9a d6c4a3edf9 (qt/qtbase/dev) d6c4a3edf9 (qt/tqtc-qtbase/dev) c1d2f4913d (qt/tqtc-qtbase/5.15) 78b3ffc99b (qt/qtbase/6.3) 78b3ffc99b (qt/tqtc-qtbase/6.3) d519901ddb (qt/qtbase/6.2) d519901ddb (qt/tqtc-qtbase/6.2)

    Description

      1. Have a build of Qt including qtsvg configured with "-sanitize undefined".
      2. Use that to build the attached project. 
        qt-cmake /tmp/report/ && cmake --build .
      3. Run the resulting program and pass the input file. 
        ./report /tmp/report/43998.svg

        You will see output like: 

        /home/qtrob/dev/clang-10.0.0/qt-dev_01.10-base_svg-fubsan/qtbase/include/QtCore/../../../../../src/qt-dev_01.10-base_svg/qtbase/src/corelib/kernel/qmath.h:81:16: runtime error: -nan is outside the range of representable values of type 'int'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/qtrob/dev/clang-10.0.0/qt-dev_01.10-base_svg-fubsan/qtbase/include/QtCore/../../../../../src/qt-dev_01.10-base_svg/qtbase/src/corelib/kernel/qmath.h:81:16 in 
/home/qtrob/dev/clang-10.0.0/qt-dev_01.10-base_svg-fubsan/qtbase/include/QtCore/../../../../../src/qt-dev_01.10-base_svg/qtbase/src/corelib/kernel/qmath.h:75:16: runtime error: -nan is outside the range of representable values of type 'int'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/qtrob/dev/clang-10.0.0/qt-dev_01.10-base_svg-fubsan/qtbase/include/QtCore/../../../../../src/qt-dev_01.10-base_svg/qtbase/src/corelib/kernel/qmath.h:75:16 in 
/home/qtrob/dev/src/qt-dev_01.10-base_svg/qtbase/src/corelib/tools/qrect.h:183:46: runtime error: signed integer overflow: -2147483648 - 1 cannot be represented in type 'int'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/qtrob/dev/src/qt-dev_01.10-base_svg/qtbase/src/corelib/tools/qrect.h:183:46 in 
/home/qtrob/dev/src/qt-dev_01.10-base_svg/qtbase/src/corelib/tools/qrect.h:183:70: runtime error: signed integer overflow: -2147483648 - 1 cannot be represented in type 'int'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/qtrob/dev/src/qt-dev_01.10-base_svg/qtbase/src/corelib/tools/qrect.h:183:70 in 
/home/qtrob/dev/src/qt-dev_01.10-base_svg/qtbase/src/gui/kernel/../../corelib/global/qglobal.h:790:14: runtime error: -nan is outside the range of representable values of type 'int'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/qtrob/dev/src/qt-dev_01.10-base_svg/qtbase/src/gui/kernel/../../corelib/global/qglobal.h:790:14 in

      Google's oss-fuzz found this as issue 43998. To be precise, that report is about the overflow in qrect.h:183:46. They will publish the report on April 25th.

      Attachments

        1. 43998.svg
          0.2 kB
        2. CMakeLists.txt
          0.3 kB
        3. main.cpp
          0.4 kB
        For Gerrit Dashboard: QTBUG-100217
        # Subject Branch Project Status CR V
        395396,2 Fix integer overflow for broken QPainterPaths dev qt/qtbase Status: MERGED +2 0
        395679,2 Fix integer overflow for broken QPainterPaths 6.2 qt/qtbase Status: MERGED +2 0
        395680,2 Fix integer overflow for broken QPainterPaths 6.3 qt/qtbase Status: MERGED +2 0
        395684,2 Fix integer overflow for broken QPainterPaths tqtc/lts-5.15 qt/tqtc-qtbase Status: MERGED +2 0
        395925,2 fuzzing: Add svg which caused overflow in QRasterPaintEngine dev qt/qtqa Status: MERGED +2 0

        Activity

          People

            esabraha Eskil Abrahamsen Blomfeldt
            rlohning Robert Löhning
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes