Details
-
Bug
-
Resolution: Done
-
P1: Critical
-
6.2.3, 6.4
-
Ubuntu 20.04 LTS
clang 10.0.0, g++ 9.4.0
-
34731687ee (qt/qtimageformats/dev) 34731687ee (qt/tqtc-qtimageformats/dev) 8730ead6e0 (qt/qtimageformats/6.3) 8730ead6e0 (qt/tqtc-qtimageformats/6.3) e46b3dc574 (qt/tqtc-qtimageformats/5.15) c7e795eb63 (qt/tqtc-qtimageformats/6.2)
Description
- Have a build of Qt including qtimageformats.
No sanitizers needed. - Build the attached project.
qt-cmake /tmp/report/ && cmake --build . --parallel
- Run this, passing the attached input file.
qtrob@rob-desktop:/tmp/build-report$ ./report /tmp/oss-fuzz/47415.icns Segmentation fault
If you configured Qt with "-sanitize address", you'll see a stacktrace:
AddressSanitizer:DEADLYSIGNAL ================================================================= ==28264==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000028 (pc 0x000000d76c42 bp 0x7ffc01ef8ad0 sp 0x7ffc01ef8100 T0) ==28264==The signal is caused by a READ memory access. ==28264==Hint: address points to the zero page. #0 0xd76c42 in QICNSHandler::read(QImage*) (/tmp/build-report/report+0xd76c42) #1 0x11a2259 in QImageReader::read(QImage*) (/tmp/build-report/report+0x11a2259) #2 0x11a14b8 in QImageReader::read() (/tmp/build-report/report+0x11a14b8) #3 0x1140b3f in QImage::fromData(QByteArrayView, char const*) (/tmp/build-report/report+0x1140b3f) #4 0x11405e7 in QImage::loadFromData(QByteArrayView, char const*) (/tmp/build-report/report+0x11405e7) #5 0x4e7c42 in QImage::loadFromData(QByteArray const&, char const*) (/tmp/build-report/report+0x4e7c42) #6 0x4e7469 in main (/tmp/build-report/report+0x4e7469) #7 0x7f3a551200b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16 #8 0x43c95d in _start (/tmp/build-report/report+0x43c95d) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (/tmp/build-report/report+0xd76c42) in QICNSHandler::read(QImage*) ==28264==ABORTING
Looking into the file, the problem is obvious:
00000000: 6963 6e73 0000 0000 icns....
After the magic number, the file claims to have a total size of 0 which is obviously incorrect. Qt should catch this.
Google's oss-fuzz found this as issue 47415. They will publish the details 90 days from now, the latest.
Attachments
Issue Links
- is duplicated by
-
QTBUG-103501 Null pointer dereference when parsing ICNS file
- Closed
For Gerrit Dashboard: QTBUG-103454 | ||||||
---|---|---|---|---|---|---|
# | Subject | Branch | Project | Status | CR | V |
411262,2 | Add some basic checking against corrupt input | dev | qt/qtimageformats | Status: MERGED | +2 | 0 |
411429,2 | Add some basic checking against corrupt input | 6.3 | qt/qtimageformats | Status: MERGED | +2 | 0 |
411431,2 | Add some basic checking against corrupt input | tqtc/lts-6.2 | qt/tqtc-qtimageformats | Status: MERGED | +2 | 0 |
411432,2 | Add some basic checking against corrupt input | tqtc/lts-5.15 | qt/tqtc-qtimageformats | Status: MERGED | +2 | 0 |
412175,3 | Add finding from oss-fuzz to tst_qicns | dev | qt/qtimageformats | Status: MERGED | +2 | 0 |
412198,4 | fuzzing: Add icns files to initialize fuzzing | dev | qt/qtqa | Status: MERGED | +2 | 0 |
412980,2 | Add finding from oss-fuzz to tst_qicns | 6.3 | qt/qtimageformats | Status: MERGED | +2 | 0 |
412990,2 | Add finding from oss-fuzz to tst_qicns | tqtc/lts-6.2 | qt/tqtc-qtimageformats | Status: MERGED | +2 | 0 |
412991,2 | Add finding from oss-fuzz to tst_qicns | tqtc/lts-5.15 | qt/tqtc-qtimageformats | Status: MERGED | +2 | 0 |