Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Done
Priority: P1: Critical
Fix Version/s: 6.2.5, 6.3.1, 6.4.0 Beta1
Affects Version/s: 6.2.3, 6.4
Component/s: Image formats
Labels:
- found_by_oss-fuzz
Environment:
Ubuntu 20.04 LTS
clang 10.0.0, g++ 9.4.0

Commits:
34731687ee (qt/qtimageformats/dev) 34731687ee (qt/tqtc-qtimageformats/dev) 8730ead6e0 (qt/qtimageformats/6.3) 8730ead6e0 (qt/tqtc-qtimageformats/6.3) e46b3dc574 (qt/tqtc-qtimageformats/5.15) c7e795eb63 (qt/tqtc-qtimageformats/6.2)

Description

Have a build of Qt including qtimageformats.
No sanitizers needed.

Build the attached project.

qt-cmake /tmp/report/ && cmake --build . --parallel

Run this, passing the attached input file.

qtrob@rob-desktop:/tmp/build-report$ ./report /tmp/oss-fuzz/47415.icns 
Segmentation fault

If you configured Qt with "-sanitize address", you'll see a stacktrace:

AddressSanitizer:DEADLYSIGNAL
=================================================================
==28264==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000028 (pc 0x000000d76c42 bp 0x7ffc01ef8ad0 sp 0x7ffc01ef8100 T0)
==28264==The signal is caused by a READ memory access.
==28264==Hint: address points to the zero page.
    #0 0xd76c42 in QICNSHandler::read(QImage*) (/tmp/build-report/report+0xd76c42)
    #1 0x11a2259 in QImageReader::read(QImage*) (/tmp/build-report/report+0x11a2259)
    #2 0x11a14b8 in QImageReader::read() (/tmp/build-report/report+0x11a14b8)
    #3 0x1140b3f in QImage::fromData(QByteArrayView, char const*) (/tmp/build-report/report+0x1140b3f)
    #4 0x11405e7 in QImage::loadFromData(QByteArrayView, char const*) (/tmp/build-report/report+0x11405e7)
    #5 0x4e7c42 in QImage::loadFromData(QByteArray const&, char const*) (/tmp/build-report/report+0x4e7c42)
    #6 0x4e7469 in main (/tmp/build-report/report+0x4e7469)
    #7 0x7f3a551200b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
    #8 0x43c95d in _start (/tmp/build-report/report+0x43c95d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/tmp/build-report/report+0xd76c42) in QICNSHandler::read(QImage*)
==28264==ABORTING

Looking into the file, the problem is obvious:

00000000: 6963 6e73 0000 0000                      icns....

After the magic number, the file claims to have a total size of 0 which is obviously incorrect. Qt should catch this.

Google's oss-fuzz found this as issue 47415. They will publish the details 90 days from now, the latest.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List

main.cpp
0.2 kB
12 May '22 14:31
CMakeLists.txt
0.3 kB
12 May '22 14:31
47415.icns
0.0 kB
12 May '22 14:34
0001-Add-finding-from-oss-fuzz-to-tst_qicns.patch
1 kB
13 May '22 20:37

Issue Links

is duplicated by

QTBUG-103501 Null pointer dereference when parsing ICNS file

Closed

Gerrit Reviews

- Issue Only
- Show All Reviews
- Show Open Reviews
- Show All Issues
- Show Open Issues

No reviews matched the request. Check your Options in the drop-down menu of this sections header.

Activity

People

Assignee:: Eirik Aavitsland

Reporter:: Robert Löhning

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 12 May '22 14:45

Updated:: 25 May '22 15:11

Resolved:: 16 May '22 07:47

Gerrit Reviews

There are no open Gerrit changes

Show There are 9 closed Gerrit changes

Hide There are 9 closed Gerrit changes

Add some basic checking against corrupt input: Gerrit Review:

Add some basic checking against corrupt input: Gerrit Review:

Add some basic checking against corrupt input: Gerrit Review:

Add some basic checking against corrupt input: Gerrit Review:

Add finding from oss-fuzz to tst_qicns: Gerrit Review:

fuzzing: Add icns files to initialize fuzzing: Gerrit Review:

Add finding from oss-fuzz to tst_qicns: Gerrit Review:

Add finding from oss-fuzz to tst_qicns: Gerrit Review:

Add finding from oss-fuzz to tst_qicns: Gerrit Review: