Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-103501

Null pointer dereference when parsing ICNS file

    XMLWordPrintable

    Details

    • Platform/s:
      Linux/X11
    • Commits:
      34731687ee77c59607db9d88c6361111631e48c6

      Description

      reproduce steps:

      1. download qt6.3.0 from https://download.qt.io/archive/qt/6.3/6.3.0/single/
      2. compile qt with address sanitizer
      3. compile image harness from `image.zip`
      4. run `./imageharness ./poc`

       

      ASAN output:

      ```

      AddressSanitizer:DEADLYSIGNAL
      =================================================================
      ==3322536==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000028 (pc 0x7f8debed2ca9 bp 0x7ffc22f89490 sp 0x7ffc22f88aa0 T0)
      ==3322536==The signal is caused by a READ memory access.
      ==3322536==Hint: address points to the zero page.
      #0 0x7f8debed2ca9 in QICNSHandler::read(QImage*) /home/casper/targets/bigproj/qt/aflasan/SRC/qtimageformats/src/plugins/imageformats/icns/qicnshandler.cpp
      #1 0x7f8df2113745 in QImageReader::read(QImage*) (/home/casper/targets/bigproj/qt/normal/INSTALL/lib/libQt6Gui.so.6+0x19c745)
      #2 0x7f8df2113f48 in QImageReader::read() (/home/casper/targets/bigproj/qt/normal/INSTALL/lib/libQt6Gui.so.6+0x19cf48)
      #3 0x4f9d7b in main /home/casper/targets/bigproj/qt/normal/fuzzrun/../../fuzzsrc/image/main.cpp:21:23
      #4 0x7f8df13be0b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
      #5 0x41c43d in _start (/home/casper/targets/bigproj/qt/normal/fuzzrun/imageharness+0x41c43d)

      AddressSanitizer can not provide additional info.
      SUMMARY: AddressSanitizer: SEGV /home/casper/targets/bigproj/qt/aflasan/SRC/qtimageformats/src/plugins/imageformats/icns/qicnshandler.cpp in QICNSHandler::read(QImage*)
      ==3322536==ABORTING

      ```

        Attachments

        1. poc.icns
          8 kB
        2. image.zip
          1 kB

          Issue Links

          No reviews matched the request. Check your Options in the drop-down menu of this sections header.

            Activity

              People

              Assignee:
              vgt Eirik Aavitsland
              Reporter:
              casperqt test test
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Gerrit Reviews

                  There are no open Gerrit changes