Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-103454

Null-dereference read in QICNSHandler

    XMLWordPrintable

    Details

    • Commits:
      34731687ee (qt/qtimageformats/dev) 34731687ee (qt/tqtc-qtimageformats/dev) 8730ead6e0 (qt/qtimageformats/6.3) 8730ead6e0 (qt/tqtc-qtimageformats/6.3) e46b3dc574 (qt/tqtc-qtimageformats/5.15) c7e795eb63 (qt/tqtc-qtimageformats/6.2)

      Description

      1. Have a build of Qt including qtimageformats.
        No sanitizers needed.
      2. Build the attached project.
        qt-cmake /tmp/report/ && cmake --build . --parallel
        
      3. Run this, passing the attached input file.
        qtrob@rob-desktop:/tmp/build-report$ ./report /tmp/oss-fuzz/47415.icns 
        Segmentation fault
        

        If you configured Qt with "-sanitize address", you'll see a stacktrace:

        AddressSanitizer:DEADLYSIGNAL
        =================================================================
        ==28264==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000028 (pc 0x000000d76c42 bp 0x7ffc01ef8ad0 sp 0x7ffc01ef8100 T0)
        ==28264==The signal is caused by a READ memory access.
        ==28264==Hint: address points to the zero page.
            #0 0xd76c42 in QICNSHandler::read(QImage*) (/tmp/build-report/report+0xd76c42)
            #1 0x11a2259 in QImageReader::read(QImage*) (/tmp/build-report/report+0x11a2259)
            #2 0x11a14b8 in QImageReader::read() (/tmp/build-report/report+0x11a14b8)
            #3 0x1140b3f in QImage::fromData(QByteArrayView, char const*) (/tmp/build-report/report+0x1140b3f)
            #4 0x11405e7 in QImage::loadFromData(QByteArrayView, char const*) (/tmp/build-report/report+0x11405e7)
            #5 0x4e7c42 in QImage::loadFromData(QByteArray const&, char const*) (/tmp/build-report/report+0x4e7c42)
            #6 0x4e7469 in main (/tmp/build-report/report+0x4e7469)
            #7 0x7f3a551200b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
            #8 0x43c95d in _start (/tmp/build-report/report+0x43c95d)
        
        AddressSanitizer can not provide additional info.
        SUMMARY: AddressSanitizer: SEGV (/tmp/build-report/report+0xd76c42) in QICNSHandler::read(QImage*)
        ==28264==ABORTING
        

      Looking into the file, the problem is obvious:

      00000000: 6963 6e73 0000 0000                      icns....
      

      After the magic number, the file claims to have a total size of 0 which is obviously incorrect. Qt should catch this.

      Google's oss-fuzz found this as issue 47415. They will publish the details 90 days from now, the latest.

        Attachments

        1. CMakeLists.txt
          0.3 kB
        2. main.cpp
          0.2 kB
        3. 47415.icns
          0.0 kB
        4. 0001-Add-finding-from-oss-fuzz-to-tst_qicns.patch
          1 kB

          Issue Links

          No reviews matched the request. Check your Options in the drop-down menu of this sections header.

            Activity

              People

              Assignee:
              vgt Eirik Aavitsland
              Reporter:
              rlohning Robert Löhning
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Gerrit Reviews