Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-109781

QXmlStreamReader asserts trying to construct XmlStringRef of negative len on external input

    XMLWordPrintable

Details

    • 6326bec46 (dev), 7e9210a83 (6.5), a13f78144 (6.6), fcca4d667 (tqtc/lts-5.15), df51e4095 (tqtc/lts-6.2), 8695e64c6 (6.5.2), bdc8dc513 (dev), c9478b890 (6.5), 70f48ca97 (6.6), 7076e8e9f (tqtc/lts-6.2)
    • Foundation PM Prioritized

    Description

      1. Build the attached project with a developer build of Qt: 
        qt-cmake -S /tmp/report/ && cmake --build . --parallel
      2. Run the resulting program and pass the attached xml file: 
        ./report 54551.xml

        It crashes with a failed assert:

        ASSERT: "len >= 0" in file /home/qtrob/dev/g++-12.2.0/qt-6.4.1-nowebengine-devbld/qtbase/include/QtCore/../../../../../src/qt-6.4.1/qtbase/src/corelib/text/qstringview.h, line 146
Aborted (core dumped)

      gdb give me this backtrace:

      #0  0x00007ffff70a164c in ?? () from /usr/lib/libc.so.6
#1  0x00007ffff7051958 in raise () from /usr/lib/libc.so.6
#2  0x00007ffff703b53d in abort () from /usr/lib/libc.so.6
#3  0x00007ffff76c3c32 in qAbort ()
    at /home/qtrob/dev/src/qt-6.4.1/qtbase/src/corelib/global/qglobal.cpp:3369
#4  0x00007ffff76d49be in qt_message_fatal (context=..., message=...)
    at /home/qtrob/dev/src/qt-6.4.1/qtbase/src/corelib/global/qlogging.cpp:1916
#5  0x00007ffff76d0e82 in QMessageLogger::fatal (this=0x7fffffffda70, 
    msg=0x7ffff7bb5ea8 "ASSERT: \"%s\" in file %s, line %d")
    at /home/qtrob/dev/src/qt-6.4.1/qtbase/src/corelib/global/qlogging.cpp:850
#6  0x00007ffff76c3a66 in qt_assert (assertion=0x7ffff7bb245a "len >= 0", 
    file=0x7ffff7bb2470 "/home/qtrob/dev/g++-12.2.0/qt-6.4.1-nowebengine-devbld/qtbase/include/QtCore/../../../../../src/qt-6.4.1/qtbase/src/corelib/text/qstringview.h", line=146)
    at /home/qtrob/dev/src/qt-6.4.1/qtbase/src/corelib/global/qglobal.cpp:3276
#7  0x00007ffff76bed13 in QStringView::QStringView<QChar, true> (
    this=0x7fffffffdaf0, str=0x55555558375e, len=-2325)
    at /home/qtrob/dev/src/qt-6.4.1/qtbase/src/corelib/text/qstringview.h:146
#8  0x00007ffff7895566 in QtPrivate::XmlStringRef::view (this=0x7fffffffdd20)
    at /home/qtrob/dev/src/qt-6.4.1/qtbase/src/corelib/serialization/qxmlstream_p.h:60
#9  0x00007ffff78954d6 in QtPrivate::XmlStringRef::operator QStringView (
    this=0x7fffffffdd20)
--Type <RET> for more, q to quit, c to continue without paging--c
   alization/qxmlstream_p.h:57
#10 0x00007ffff78883e1 in QXmlStreamReaderPrivate::parse (this=0x555555559ff0) at /home/qtrob/dev/src/qt-6.4.1/qtbase/src/corelib/serialization/qxmlstreamparser_p.h:789
#11 0x00007ffff788a83f in QXmlStreamReader::readNext (this=0x7fffffffde58) at /home/qtrob/dev/src/qt-6.4.1/qtbase/src/corelib/serialization/qxmlstream.cpp:561
#12 0x00005555555552ec in main ()

      Google's oss-fuzz found this as issue 54551. They will publish their report on March 24th, the latest.

      Attachments

        1. 54551.xml
          8 kB
        2. CMakeLists.txt
          0.3 kB
        3. main.cpp
          0.3 kB

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. QTBUG-114829 [REG 6.5.1 -> 6.5.2] Crash/failed assert by passing certain xml file to QXmlStreamReader

          • P1: Critical - Urgent and Important, will STOP the release if matched with set FixVersion field. This includes regressions from the last version that are not edge cases; Data loss; Build issues; All but the most unlikely crashes/lockups/hanging; Serious usability issues and embarrassing bugs & Bugs critical to a deliverable. This is the highest possible priority for requirements.
          • Closed
          For Gerrit Dashboard: QTBUG-109781
          # Subject Branch Project Status CR V
          455027,21 QXmlStreamReader: make fastScanName() indicate parsing status to callers dev qt/qtbase Status: MERGED +2 0
          475586,2 QXmlStream: 0xff00 character is not a letter dev qt/qtbase Status: ABANDONED 0 0
          487549,2 QXmlStreamReader: fix crash while parsing attribute name dev qt/qtbase Status: ABANDONED 0 0
          487550,2 QXmlStreamReader: raise error if attribute name exceeds 4096 chars dev qt/qtbase Status: ABANDONED 0 0
          488205,2 QXmlStreamReader: make fastScanName() indicate parsing status to callers 6.6 qt/qtbase Status: MERGED +2 0
          488206,2 QXmlStreamReader: make fastScanName() indicate parsing status to callers 6.5 qt/qtbase Status: MERGED +2 0
          488209,3 QXmlStreamReader: make fastScanName() indicate parsing status to callers tqtc/lts-6.2 qt/tqtc-qtbase Status: MERGED +2 0
          488210,8 QXmlStreamReader: make fastScanName() indicate parsing status to callers tqtc/lts-5.15 qt/tqtc-qtbase Status: MERGED +2 0
          488283,3 QXmlStreamReader: make fastScanName() indicate parsing status to callers 6.5.2 qt/qtbase Status: MERGED +2 0
          488826,3 Fix typo in QXmlStreamReader error message dev qt/qtbase Status: MERGED +2 0
          488892,2 Fix typo in QXmlStreamReader error message 6.6 qt/qtbase Status: MERGED +2 0
          488893,2 Fix typo in QXmlStreamReader error message 6.5 qt/qtbase Status: MERGED +2 0
          488894,2 Fix typo in QXmlStreamReader error message tqtc/lts-6.2 qt/tqtc-qtbase Status: MERGED +2 0
          488895,2 Fix typo in QXmlStreamReader error message tqtc/lts-5.15 qt/tqtc-qtbase Status: MERGED +2 0
          492524,3 QXmlStreamReader: make fastScanName() indicate parsing status to callers 6.5.1 qt/qtbase Status: ABANDONED 0 0

          Activity

            People

              thiago Thiago Macieira
              rlohning Robert Löhning
              Vladimir Minenko Vladimir Minenko
              Alex Blasche Alex Blasche
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: