Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-103454

Null-dereference read in QICNSHandler

    XMLWordPrintable

Details

    • 34731687ee (qt/qtimageformats/dev) 34731687ee (qt/tqtc-qtimageformats/dev) 8730ead6e0 (qt/qtimageformats/6.3) 8730ead6e0 (qt/tqtc-qtimageformats/6.3) e46b3dc574 (qt/tqtc-qtimageformats/5.15) c7e795eb63 (qt/tqtc-qtimageformats/6.2)

    Description

      1. Have a build of Qt including qtimageformats.
        No sanitizers needed.
      2. Build the attached project. 
        qt-cmake /tmp/report/ && cmake --build . --parallel
      3. Run this, passing the attached input file. 
        qtrob@rob-desktop:/tmp/build-report$ ./report /tmp/oss-fuzz/47415.icns 
Segmentation fault

        If you configured Qt with "-sanitize address", you'll see a stacktrace:

        AddressSanitizer:DEADLYSIGNAL
=================================================================
==28264==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000028 (pc 0x000000d76c42 bp 0x7ffc01ef8ad0 sp 0x7ffc01ef8100 T0)
==28264==The signal is caused by a READ memory access.
==28264==Hint: address points to the zero page.
    #0 0xd76c42 in QICNSHandler::read(QImage*) (/tmp/build-report/report+0xd76c42)
    #1 0x11a2259 in QImageReader::read(QImage*) (/tmp/build-report/report+0x11a2259)
    #2 0x11a14b8 in QImageReader::read() (/tmp/build-report/report+0x11a14b8)
    #3 0x1140b3f in QImage::fromData(QByteArrayView, char const*) (/tmp/build-report/report+0x1140b3f)
    #4 0x11405e7 in QImage::loadFromData(QByteArrayView, char const*) (/tmp/build-report/report+0x11405e7)
    #5 0x4e7c42 in QImage::loadFromData(QByteArray const&, char const*) (/tmp/build-report/report+0x4e7c42)
    #6 0x4e7469 in main (/tmp/build-report/report+0x4e7469)
    #7 0x7f3a551200b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
    #8 0x43c95d in _start (/tmp/build-report/report+0x43c95d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/tmp/build-report/report+0xd76c42) in QICNSHandler::read(QImage*)
==28264==ABORTING

      Looking into the file, the problem is obvious:

      00000000: 6963 6e73 0000 0000                      icns....

      After the magic number, the file claims to have a total size of 0 which is obviously incorrect. Qt should catch this.

      Google's oss-fuzz found this as issue 47415. They will publish the details 90 days from now, the latest.

      Attachments

        1. 0001-Add-finding-from-oss-fuzz-to-tst_qicns.patch
          1 kB
          Robert Löhning
        2. 47415.icns
          0.0 kB
          Robert Löhning
        3. CMakeLists.txt
          0.3 kB
          Robert Löhning
        4. main.cpp
          0.2 kB
          Robert Löhning

        Issue Links

          is duplicated by

          Bug - A problem which impairs or prevents the functions of the product. QTBUG-103501 Null pointer dereference when parsing ICNS file

          • Not Evaluated - Not yet evaluated/prioritized
          • Closed
          No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            People

              vgt Eirik Aavitsland
              rlohning Robert Löhning
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Gerrit Reviews