- Have a build of Qt including qtimageformats.
No sanitizers needed.
- Build the attached project.
qt-cmake /tmp/report/ && cmake --build . --parallel
- Run this, passing the attached input file.
qtrob@rob-desktop:/tmp/build-report$ ./report /tmp/oss-fuzz/47415.icns
If you configured Qt with "-sanitize address", you'll see a stacktrace:
==28264==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000028 (pc 0x000000d76c42 bp 0x7ffc01ef8ad0 sp 0x7ffc01ef8100 T0)
==28264==The signal is caused by a READ memory access.
==28264==Hint: address points to the zero page.
#0 0xd76c42 in QICNSHandler::read(QImage*) (/tmp/build-report/report+0xd76c42)
#1 0x11a2259 in QImageReader::read(QImage*) (/tmp/build-report/report+0x11a2259)
#2 0x11a14b8 in QImageReader::read() (/tmp/build-report/report+0x11a14b8)
#3 0x1140b3f in QImage::fromData(QByteArrayView, char const*) (/tmp/build-report/report+0x1140b3f)
#4 0x11405e7 in QImage::loadFromData(QByteArrayView, char const*) (/tmp/build-report/report+0x11405e7)
#5 0x4e7c42 in QImage::loadFromData(QByteArray const&, char const*) (/tmp/build-report/report+0x4e7c42)
#6 0x4e7469 in main (/tmp/build-report/report+0x4e7469)
#7 0x7f3a551200b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
#8 0x43c95d in _start (/tmp/build-report/report+0x43c95d)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/tmp/build-report/report+0xd76c42) in QICNSHandler::read(QImage*)
Looking into the file, the problem is obvious:
00000000: 6963 6e73 0000 0000 icns....
After the magic number, the file claims to have a total size of 0 which is obviously incorrect. Qt should catch this.
Google's oss-fuzz found this as issue 47415. They will publish the details 90 days from now, the latest.