Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-103610

Heap overflow when dealing with QT icns image

    XMLWordPrintable

Details

    • Bug
    • Resolution: Invalid
    • P2: Important
    • None
    • 6.4.0
    • Image formats
    • None

    Description

      reproduce steps:

      1. compile qt from dev repo with address sanitizer enabled
      2. compile image.zip
      3. run with poc: ./imageharness ./poc

       

      observed behavior:

      ```

      height: 12, width: 16
      =================================================================
      ==3846283==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000000bc0 at pc 0x5615f7a70510 bp 0x7fff291a6e90 sp 0x7fff291a6e80
      READ of size 4 at 0x604000000bc0 thread T0
      #0 0x5615f7a7050f in main ../../fuzzsrc/image/main.cpp:30
      #1 0x7ff0c8252082 in __libc_start_main ../csu/libc-start.c:308
      #2 0x5615f7a7097d in _start (/home/casper/targets/bigproj/qt/devtest/fuzzrun/imageharnessafl+0x397d)

      0x604000000bc0 is located 0 bytes to the right of 48-byte region [0x604000000b90,0x604000000bc0)
      allocated by thread T0 here:
      #0 0x7ff0c95e2808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
      #1 0x7ff0c8e93285 in QImageData::create(QSize const&, QImage::Format) (/home/casper/targets/bigproj/qt/devtest/INSTALL/lib/libQt6Gui.so.6+0x145285)

      SUMMARY: AddressSanitizer: heap-buffer-overflow ../../fuzzsrc/image/main.cpp:30 in main
      Shadow bytes around the buggy address:
      0x0c087fff8120: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 02 fa
      0x0c087fff8130: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 02 fa
      0x0c087fff8140: fa fa 00 00 00 00 02 fa fa fa fd fd fd fd fd fa
      0x0c087fff8150: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 00
      0x0c087fff8160: fa fa 00 00 00 00 02 fa fa fa fd fd fd fd fd fa
      =>0x0c087fff8170: fa fa 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa
      0x0c087fff8180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c087fff8190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c087fff81a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c087fff81b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c087fff81c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable: 00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone: fa
      Freed heap region: fd
      Stack left redzone: f1
      Stack mid redzone: f2
      Stack right redzone: f3
      Stack after return: f5
      Stack use after scope: f8
      Global redzone: f9
      Global init order: f6
      Poisoned by user: f7
      Container overflow: fc
      Array cookie: ac
      Intra object redzone: bb
      ASan internal: fe
      Left alloca redzone: ca
      Right alloca redzone: cb
      Shadow gap: cc
      ==3846283==ABORTING

      ```

      Attachments

        1. image.zip
          1 kB
        2. poc
          8 kB
        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          People

            vgt Eirik Aavitsland
            casperqt test test
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes