Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-105151

[REG 6.2.2 -> 6.2.3] fuzz: undefined behaviour in QRectF/QRect

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: P1: Critical P1: Critical
    • None
    • 6.2.3, 6.3.1, 6.4.0 Beta2
    • SVG Support
    • KDE neon User - Plasma 5.25
    • Linux/X11

      Using a build of Qt with the UBSAN sanitizer enabled, the attached svg file triggers undefined behaviour due to an integer overflow happening in different places in QRect and QRectF.

      The first one happens in QRectF::toAlignedRect while calculating the width and height of the rect. Once this one is fixed, the same issue is detected in the QRect constructors as they are doing the similar mathematical operations that can be found in toAlignedRect.

      Google's oss-fuzz found this as oss-fuzz report. They will publish the details 90 days from now, the latest.

      The test case provided by QTBUG-103454 can be reused with the input from this report.

        1. oss-fuzz-49285.svg
          239 kB
        For Gerrit Dashboard: QTBUG-105151
        # Subject Branch Project Status CR V
        423469,3 Fix undefined behavior from math operations in QRectF dev qt/qtbase Status: NEW 0 0

            sgaist Samuel Gaist
            sgaist Samuel Gaist
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:

                There is 1 open Gerrit change