Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-103454

Null-dereference read in QICNSHandler

    XMLWordPrintable

    Details

    • Commits:
      34731687ee (qt/qtimageformats/dev) 34731687ee (qt/tqtc-qtimageformats/dev) 8730ead6e0 (qt/qtimageformats/6.3) 8730ead6e0 (qt/tqtc-qtimageformats/6.3) e46b3dc574 (qt/tqtc-qtimageformats/5.15) c7e795eb63 (qt/tqtc-qtimageformats/6.2)

      Description

      1. Have a build of Qt including qtimageformats.
        No sanitizers needed.
      2. Build the attached project.
        qt-cmake /tmp/report/ && cmake --build . --parallel
        
      3. Run this, passing the attached input file.
        qtrob@rob-desktop:/tmp/build-report$ ./report /tmp/oss-fuzz/47415.icns 
        Segmentation fault
        

        If you configured Qt with "-sanitize address", you'll see a stacktrace:

        AddressSanitizer:DEADLYSIGNAL
        =================================================================
        ==28264==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000028 (pc 0x000000d76c42 bp 0x7ffc01ef8ad0 sp 0x7ffc01ef8100 T0)
        ==28264==The signal is caused by a READ memory access.
        ==28264==Hint: address points to the zero page.
            #0 0xd76c42 in QICNSHandler::read(QImage*) (/tmp/build-report/report+0xd76c42)
            #1 0x11a2259 in QImageReader::read(QImage*) (/tmp/build-report/report+0x11a2259)
            #2 0x11a14b8 in QImageReader::read() (/tmp/build-report/report+0x11a14b8)
            #3 0x1140b3f in QImage::fromData(QByteArrayView, char const*) (/tmp/build-report/report+0x1140b3f)
            #4 0x11405e7 in QImage::loadFromData(QByteArrayView, char const*) (/tmp/build-report/report+0x11405e7)
            #5 0x4e7c42 in QImage::loadFromData(QByteArray const&, char const*) (/tmp/build-report/report+0x4e7c42)
            #6 0x4e7469 in main (/tmp/build-report/report+0x4e7469)
            #7 0x7f3a551200b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
            #8 0x43c95d in _start (/tmp/build-report/report+0x43c95d)
        
        AddressSanitizer can not provide additional info.
        SUMMARY: AddressSanitizer: SEGV (/tmp/build-report/report+0xd76c42) in QICNSHandler::read(QImage*)
        ==28264==ABORTING
        

      Looking into the file, the problem is obvious:

      00000000: 6963 6e73 0000 0000                      icns....
      

      After the magic number, the file claims to have a total size of 0 which is obviously incorrect. Qt should catch this.

      Google's oss-fuzz found this as issue 47415. They will publish the details 90 days from now, the latest.

        Attachments

        1. 0001-Add-finding-from-oss-fuzz-to-tst_qicns.patch
          1 kB
        2. 47415.icns
          0.0 kB
        3. CMakeLists.txt
          0.3 kB
        4. main.cpp
          0.2 kB

          Issue Links

          No reviews matched the request. Check your Options in the drop-down menu of this sections header.

            Activity

              People

              Assignee:
              vgt Eirik Aavitsland
              Reporter:
              rlohning Robert Löhning
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Gerrit Reviews