Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: P1: Critical
Fix Version/s: 5.15.15, 6.2.9, 6.5.2, 6.5.3, 6.6.0 Beta2, 6.7.0 FF
Affects Version/s: 6.2.0, 6.4.1, 6.6
Component/s: Core: Serialization
Labels:
- found_by_oss-fuzz
Environment:
Manjaro Linux
clang 14.0.6
g++ 12.2.0

Commits:
6326bec46 (dev), 7e9210a83 (6.5), a13f78144 (6.6), fcca4d667 (tqtc/lts-5.15), df51e4095 (tqtc/lts-6.2), 8695e64c6 (6.5.2), bdc8dc513 (dev), c9478b890 (6.5), 70f48ca97 (6.6), 7076e8e9f (tqtc/lts-6.2)
Sprint:
Foundation PM Prioritized

Description

Build the attached project with a developer build of Qt:

qt-cmake -S /tmp/report/ && cmake --build . --parallel

Run the resulting program and pass the attached xml file:

./report 54551.xml

It crashes with a failed assert:

ASSERT: "len >= 0" in file /home/qtrob/dev/g++-12.2.0/qt-6.4.1-nowebengine-devbld/qtbase/include/QtCore/../../../../../src/qt-6.4.1/qtbase/src/corelib/text/qstringview.h, line 146
Aborted (core dumped)

gdb give me this backtrace:

#0  0x00007ffff70a164c in ?? () from /usr/lib/libc.so.6
#1  0x00007ffff7051958 in raise () from /usr/lib/libc.so.6
#2  0x00007ffff703b53d in abort () from /usr/lib/libc.so.6
#3  0x00007ffff76c3c32 in qAbort ()
    at /home/qtrob/dev/src/qt-6.4.1/qtbase/src/corelib/global/qglobal.cpp:3369
#4  0x00007ffff76d49be in qt_message_fatal (context=..., message=...)
    at /home/qtrob/dev/src/qt-6.4.1/qtbase/src/corelib/global/qlogging.cpp:1916
#5  0x00007ffff76d0e82 in QMessageLogger::fatal (this=0x7fffffffda70, 
    msg=0x7ffff7bb5ea8 "ASSERT: \"%s\" in file %s, line %d")
    at /home/qtrob/dev/src/qt-6.4.1/qtbase/src/corelib/global/qlogging.cpp:850
#6  0x00007ffff76c3a66 in qt_assert (assertion=0x7ffff7bb245a "len >= 0", 
    file=0x7ffff7bb2470 "/home/qtrob/dev/g++-12.2.0/qt-6.4.1-nowebengine-devbld/qtbase/include/QtCore/../../../../../src/qt-6.4.1/qtbase/src/corelib/text/qstringview.h", line=146)
    at /home/qtrob/dev/src/qt-6.4.1/qtbase/src/corelib/global/qglobal.cpp:3276
#7  0x00007ffff76bed13 in QStringView::QStringView<QChar, true> (
    this=0x7fffffffdaf0, str=0x55555558375e, len=-2325)
    at /home/qtrob/dev/src/qt-6.4.1/qtbase/src/corelib/text/qstringview.h:146
#8  0x00007ffff7895566 in QtPrivate::XmlStringRef::view (this=0x7fffffffdd20)
    at /home/qtrob/dev/src/qt-6.4.1/qtbase/src/corelib/serialization/qxmlstream_p.h:60
#9  0x00007ffff78954d6 in QtPrivate::XmlStringRef::operator QStringView (
    this=0x7fffffffdd20)
--Type <RET> for more, q to quit, c to continue without paging--c
   alization/qxmlstream_p.h:57
#10 0x00007ffff78883e1 in QXmlStreamReaderPrivate::parse (this=0x555555559ff0) at /home/qtrob/dev/src/qt-6.4.1/qtbase/src/corelib/serialization/qxmlstreamparser_p.h:789
#11 0x00007ffff788a83f in QXmlStreamReader::readNext (this=0x7fffffffde58) at /home/qtrob/dev/src/qt-6.4.1/qtbase/src/corelib/serialization/qxmlstream.cpp:561
#12 0x00005555555552ec in main ()

Google's oss-fuzz found this as issue 54551. They will publish their report on March 24th, the latest.