Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-113476

heap-buffer-overflow when running SegmentedControl patch example

    XMLWordPrintable

Details

    Description

      1. Checkout https://codereview.qt-project.org/c/qt/qtdeclarative/+/476568/1
      2. Run the following example with QT_QUICK_CONTROLS_STYLE=Imagine:
      import QtQuick
import QtQuick.Controls

ApplicationWindow {
    id: root
    width: 640
    height: 480
    visible: true

    SegmentedControl {
        id: control
        ButtonGroup {
            buttons: control.contentItem.children
            exclusive: false
        }
        contentItem: Row {
            spacing: control.spacing
            ButtonSegment {
                edges: ButtonSegment.TopLeftEdges | ButtonSegment.BottomLeftEdges
                checkable: true
                text: qsTr("Segment 1")
            }
            SegmentSeparator {}
            ButtonSegment {
                edges: ButtonSegment.TopEdge | ButtonSegment.BottomEdge
                checkable: true
                text: qsTr("Segment 2")
            }
            SegmentSeparator {}
            ButtonSegment {
                edges: ButtonSegment.TopEdge | ButtonSegment.BottomEdge
                checkable: true
                text: qsTr("Segment 3")
            }
            SegmentSeparator {}
            ButtonSegment {
                edges: ButtonSegment.TopRightEdges | ButtonSegment.BottomRightEdges
                checkable: true
                text: qsTr("Segment 4")
            }
        }
    }
}

      13:25:09: Starting /home/mitch/dev/temp/quick-qt_dev2_debug-Debug/quick...
QML debugging is enabled. Only use this in a safe environment.
qt.qpa.plugin: Could not find the Qt platform plugin "wayland" in ""
=================================================================
==47903==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61600000e988 at pc 0x7fbdbaa6da37 bp 0x7ffc9ce35d00 sp 0x7ffc9ce35cf0
READ of size 1 at 0x61600000e988 thread T0
    #0 0x7fbdbaa6da36 in QQuickSegmentedControl::isDown() const /home/mitch/dev/qt-dev2/qtdeclarative/src/quicktemplates/qquicksegmentedcontrol.cpp:22
    #1 0x7fbdba88bb7e in QQuickSegmentedControl::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) /home/mitch/dev/qt-dev2-debug/qtdeclarative/src/quicktemplates/QuickTemplates2_autogen/EWIEGA46WW/moc_qquicksegmentedcontrol_p.cpp:182
    #2 0x7fbdc763394a in QQmlPropertyData::readPropertyWithArgs(QObject*, void**) const /home/mitch/dev/qt-dev2-debug/qtbase/include/QtQml/6.6.0/QtQml/private/../../../../../../../qt-dev2/qtdeclarative/src/qml/qml/qqmlpropertydata_p.h:328
    #3 0x7fbdc763389b in QQmlPropertyData::readProperty(QObject*, void*) const /home/mitch/dev/qt-dev2-debug/qtbase/include/QtQml/6.6.0/QtQml/private/../../../../../../../qt-dev2/qtdeclarative/src/qml/qml/qqmlpropertydata_p.h:311
    #4 0x7fbdc760a291 in loadProperty /home/mitch/dev/qt-dev2/qtdeclarative/src/qml/jsruntime/qv4qobjectwrapper.cpp:142
    #5 0x7fbdc760c08f in QV4::QObjectWrapper::getProperty(QV4::ExecutionEngine*, QV4::Heap::Object*, QObject*, QQmlPropertyData const*, QFlags<QV4::QObjectWrapper::Flag>) /home/mitch/dev/qt-dev2/qtdeclarative/src/qml/jsruntime/qv4qobjectwrapper.cpp:289
    #6 0x7fbdc758f4f7 in lookupPropertyGetterImpl<QV4::Lookup::getterQObject(QV4::Lookup*, QV4::ExecutionEngine*, const QV4::Value&)::<lambda()> > /home/mitch/dev/qt-dev2-debug/qtbase/include/QtQml/6.6.0/QtQml/private/../../../../../../../qt-dev2/qtdeclarative/src/qml/jsruntime/qv4qobjectwrapper_p.h:298
    #7 0x7fbdc758cd0c in QV4::Lookup::getterQObject(QV4::Lookup*, QV4::ExecutionEngine*, QV4::Value const&) /home/mitch/dev/qt-dev2/qtdeclarative/src/qml/jsruntime/qv4lookup.cpp:416
    #8 0x7fbdc7618a0a in QV4::QObjectWrapper::virtualResolveLookupGetter(QV4::Object const*, QV4::ExecutionEngine*, QV4::Lookup*) /home/mitch/dev/qt-dev2/qtdeclarative/src/qml/jsruntime/qv4qobjectwrapper.cpp:1026
    #9 0x7fbdc7590599 in QV4::Object::resolveLookupGetter(QV4::ExecutionEngine*, QV4::Lookup*) const /home/mitch/dev/qt-dev2/qtdeclarative/src/qml/jsruntime/qv4object_p.h:342
    #10 0x7fbdc758900e in QV4::Lookup::resolveGetter(QV4::ExecutionEngine*, QV4::Object const*) /home/mitch/dev/qt-dev2/qtdeclarative/src/qml/jsruntime/qv4lookup.cpp:36
    #11 0x7fbdc758a6ed in QV4::Lookup::getterGeneric(QV4::Lookup*, QV4::ExecutionEngine*, QV4::Value const&) /home/mitch/dev/qt-dev2/qtdeclarative/src/qml/jsruntime/qv4lookup.cpp:113
    #12 0x7fbdc7778f1f in QV4::Moth::VME::interpret(QV4::JSTypesStackFrame*, QV4::ExecutionEngine*, char const*) /home/mitch/dev/qt-dev2/qtdeclarative/src/qml/jsruntime/qv4vme_moth.cpp:771
    #13 0x7fbdc7770e09 in QV4::Moth::VME::exec(QV4::JSTypesStackFrame*, QV4::ExecutionEngine*) /home/mitch/dev/qt-dev2/qtdeclarative/src/qml/jsruntime/qv4vme_moth.cpp:584
    #14 0x7fbdc7514e26 in doCall /home/mitch/dev/qt-dev2/qtdeclarative/src/qml/jsruntime/qv4function.cpp:54
    #15 0x7fbdc7515170 in QV4::Function::call(QV4::Value const*, QV4::Value const*, int, QV4::ExecutionContext*) /home/mitch/dev/qt-dev2/qtdeclarative/src/qml/jsruntime/qv4function.cpp:79
    #16 0x7fbdc7a9e9fe in QQmlJavaScriptExpression::evaluate(QV4::CallData*, bool*) /home/mitch/dev/qt-dev2/qtdeclarative/src/qml/qml/qqmljavascriptexpression.cpp:238
    #17 0x7fbdc788fdef in QQmlBinding::evaluate(bool*) /home/mitch/dev/qt-dev2/qtdeclarative/src/qml/qml/qqmlbinding.cpp:188
    #18 0x7fbdc7895b6f in QQmlBinding::doUpdate(QQmlJavaScriptExpression::DeleteWatcher const&, QFlags<QQmlPropertyData::WriteFlag>, QV4::Scope&) /home/mitch/dev/qt-dev2/qtdeclarative/src/qml/qml/qqmlbinding.cpp:698
    #19 0x7fbdc788fa7d in QQmlBinding::update(QFlags<QQmlPropertyData::WriteFlag>) /home/mitch/dev/qt-dev2/qtdeclarative/src/qml/qml/qqmlbinding.cpp:164
    #20 0x7fbdc789458e in QQmlBinding::setEnabled(bool, QFlags<QQmlPropertyData::WriteFlag>) /home/mitch/dev/qt-dev2/qtdeclarative/src/qml/qml/qqmlbinding.cpp:619
    #21 0x7fbdc7b6aab8 in QQmlObjectCreator::finalize(QQmlInstantiationInterrupt&) /home/mitch/dev/qt-dev2/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:1431
    #22 0x7fbdc790d9cf in QQmlComponentPrivate::complete(QQmlEnginePrivate*, QQmlComponentPrivate::ConstructionState*) /home/mitch/dev/qt-dev2/qtdeclarative/src/qml/qml/qqmlcomponent.cpp:1124
    #23 0x7fbdc790d84a in QQmlComponentPrivate::completeDeferred(QQmlEnginePrivate*, std::vector<QQmlComponentPrivate::ConstructionState, std::allocator<QQmlComponentPrivate::ConstructionState> >*) /home/mitch/dev/qt-dev2/qtdeclarative/src/qml/qml/qqmlcomponent.cpp:1117
    #24 0x7fbdba944bb5 in QtQuickPrivate::completeDeferred(QObject*, QString const&, QQuickUntypedDeferredPointer*) /home/mitch/dev/qt-dev2/qtdeclarative/src/quicktemplates/qquickdeferredexecute.cpp:130
    #25 0x7fbdba8a42aa in void quickCompleteDeferred<QQuickItem>(QObject*, QString const&, QQuickDeferredPointer<QQuickItem>&) /home/mitch/dev/qt-dev2/qtdeclarative/src/quicktemplates/qquickdeferredexecute_p_p.h:54
    #26 0x7fbdba930d2d in QQuickControlPrivate::executeBackground(bool) /home/mitch/dev/qt-dev2/qtdeclarative/src/quicktemplates/qquickcontrol.cpp:769
    #27 0x7fbdba935c08 in QQuickControl::componentComplete() /home/mitch/dev/qt-dev2/qtdeclarative/src/quicktemplates/qquickcontrol.cpp:1975
    #28 0x7fbdc7b6b287 in QQmlObjectCreator::finalize(QQmlInstantiationInterrupt&) /home/mitch/dev/qt-dev2/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:1480
    #29 0x7fbdc790d9cf in QQmlComponentPrivate::complete(QQmlEnginePrivate*, QQmlComponentPrivate::ConstructionState*) /home/mitch/dev/qt-dev2/qtdeclarative/src/qml/qml/qqmlcomponent.cpp:1124
    #30 0x7fbdc790e727 in QQmlComponentPrivate::completeCreate() /home/mitch/dev/qt-dev2/qtdeclarative/src/qml/qml/qqmlcomponent.cpp:1229
    #31 0x7fbdc790e2a5 in QQmlComponent::completeCreate() /home/mitch/dev/qt-dev2/qtdeclarative/src/qml/qml/qqmlcomponent.cpp:1207
    #32 0x7fbdc790b8ed in QQmlComponentPrivate::createWithProperties(QObject*, QMap<QString, QVariant> const&, QQmlContext*, QQmlComponentPrivate::CreateBehavior) /home/mitch/dev/qt-dev2/qtdeclarative/src/qml/qml/qqmlcomponent.cpp:945
    #33 0x7fbdc790b599 in QQmlComponent::create(QQmlContext*) /home/mitch/dev/qt-dev2/qtdeclarative/src/qml/qml/qqmlcomponent.cpp:896
    #34 0x7fbdc7884f7e in QQmlApplicationEnginePrivate::finishLoad(QQmlComponent*) /home/mitch/dev/qt-dev2/qtdeclarative/src/qml/qml/qqmlapplicationengine.cpp:135
    #35 0x7fbdc788565c in QQmlApplicationEnginePrivate::ensureLoadingFinishes(QQmlComponent*) /home/mitch/dev/qt-dev2/qtdeclarative/src/qml/qml/qqmlapplicationengine.cpp:162
    #36 0x7fbdc7884668 in QQmlApplicationEnginePrivate::startLoad(QUrl const&, QByteArray const&, bool) /home/mitch/dev/qt-dev2/qtdeclarative/src/qml/qml/qqmlapplicationengine.cpp:109
    #37 0x7fbdc7885e08 in QQmlApplicationEngine::load(QUrl const&) /home/mitch/dev/qt-dev2/qtdeclarative/src/qml/qml/qqmlapplicationengine.cpp:324
    #38 0x5618f7d82c8a in main /home/mitch/dev/temp/quick/main.cpp:18
    #39 0x7fbdc1e29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #40 0x7fbdc1e29e3f in __libc_start_main_impl ../csu/libc-start.c:392
    #41 0x5618f7d825e4 in _start (/home/mitch/dev/temp/quick-qt_dev2_debug-Debug/quick+0x25e4)

0x61600000e988 is located 0 bytes to the right of 520-byte region [0x61600000e780,0x61600000e988)
allocated by thread T0 here:
    #0 0x7fbdcaab61c7 in operator new(unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cpp:99
    #1 0x7fbdba93218a in QQuickControl::QQuickControl(QQuickItem*) /home/mitch/dev/qt-dev2/qtdeclarative/src/quicktemplates/qquickcontrol.cpp:923
    #2 0x7fbdbaa6d95a in QQuickSegmentedControl::QQuickSegmentedControl(QQuickItem*) /home/mitch/dev/qt-dev2/qtdeclarative/src/quicktemplates/qquicksegmentedcontrol.cpp:14
    #3 0x7fbdbac16730 in QQmlPrivate::QQmlElement<QQuickSegmentedControl>::QQmlElement() /home/mitch/dev/qt-dev2/qtdeclarative/src/qml/qml/qqmlprivate.h:94
    #4 0x7fbdbac167c3 in void QQmlPrivate::createInto<QQuickSegmentedControl>(void*, void*) /home/mitch/dev/qt-dev2/qtdeclarative/src/qml/qml/qqmlprivate.h:169
    #5 0x7fbdc7cbd1c8 in QQmlType::create(void**, unsigned long) const /home/mitch/dev/qt-dev2/qtdeclarative/src/qml/qml/qqmltype.cpp:479
    #6 0x7fbdc7cbd355 in QQmlType::createWithQQmlData() const /home/mitch/dev/qt-dev2/qtdeclarative/src/qml/qml/qqmltype.cpp:494
    #7 0x7fbdc7b68753 in QQmlObjectCreator::createInstance(int, QObject*, bool) /home/mitch/dev/qt-dev2/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:1234
    #8 0x7fbdc7b57048 in QQmlObjectCreator::create(int, QObject*, QQmlInstantiationInterrupt*, int) /home/mitch/dev/qt-dev2/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:199
    #9 0x7fbdc7b69261 in QQmlObjectCreator::createInstance(int, QObject*, bool) /home/mitch/dev/qt-dev2/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:1272
    #10 0x7fbdc7b62096 in QQmlObjectCreator::setPropertyBinding(QQmlPropertyData const*, QV4::CompiledData::Binding const*) /home/mitch/dev/qt-dev2/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:823
    #11 0x7fbdc7b60159 in QQmlObjectCreator::setupBindings(QFlags<QQmlObjectCreator::BindingMode>) /home/mitch/dev/qt-dev2/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:764
    #12 0x7fbdc7b6f3a7 in QQmlObjectCreator::populateInstance(int, QObject*, QObject*, QQmlPropertyData const*, QV4::CompiledData::Binding const*) /home/mitch/dev/qt-dev2/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:1694
    #13 0x7fbdc7b6a227 in QQmlObjectCreator::createInstance(int, QObject*, bool) /home/mitch/dev/qt-dev2/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:1372
    #14 0x7fbdc7b57048 in QQmlObjectCreator::create(int, QObject*, QQmlInstantiationInterrupt*, int) /home/mitch/dev/qt-dev2/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:199
    #15 0x7fbdc790cce1 in QQmlComponentPrivate::beginCreate(QQmlRefPointer<QQmlContextData>) /home/mitch/dev/qt-dev2/qtdeclarative/src/qml/qml/qqmlcomponent.cpp:1057
    #16 0x7fbdc790bd27 in QQmlComponent::beginCreate(QQmlContext*) /home/mitch/dev/qt-dev2/qtdeclarative/src/qml/qml/qqmlcomponent.cpp:992
    #17 0x7fbdc790625b in QQmlComponentPrivate::doBeginCreate(QQmlComponent*, QQmlContext*) /home/mitch/dev/qt-dev2/qtdeclarative/src/qml/qml/qqmlcomponent.cpp:335
    #18 0x7fbdc790b762 in QQmlComponentPrivate::createWithProperties(QObject*, QMap<QString, QVariant> const&, QQmlContext*, QQmlComponentPrivate::CreateBehavior) /home/mitch/dev/qt-dev2/qtdeclarative/src/qml/qml/qqmlcomponent.cpp:929
    #19 0x7fbdc790b599 in QQmlComponent::create(QQmlContext*) /home/mitch/dev/qt-dev2/qtdeclarative/src/qml/qml/qqmlcomponent.cpp:896
    #20 0x7fbdc7884f7e in QQmlApplicationEnginePrivate::finishLoad(QQmlComponent*) /home/mitch/dev/qt-dev2/qtdeclarative/src/qml/qml/qqmlapplicationengine.cpp:135
    #21 0x7fbdc788565c in QQmlApplicationEnginePrivate::ensureLoadingFinishes(QQmlComponent*) /home/mitch/dev/qt-dev2/qtdeclarative/src/qml/qml/qqmlapplicationengine.cpp:162
    #22 0x7fbdc7884668 in QQmlApplicationEnginePrivate::startLoad(QUrl const&, QByteArray const&, bool) /home/mitch/dev/qt-dev2/qtdeclarative/src/qml/qml/qqmlapplicationengine.cpp:109
    #23 0x7fbdc7885e08 in QQmlApplicationEngine::load(QUrl const&) /home/mitch/dev/qt-dev2/qtdeclarative/src/qml/qml/qqmlapplicationengine.cpp:324
    #24 0x5618f7d82c8a in main /home/mitch/dev/temp/quick/main.cpp:18
    #25 0x7fbdc1e29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/mitch/dev/qt-dev2/qtdeclarative/src/quicktemplates/qquicksegmentedcontrol.cpp:22 in QQuickSegmentedControl::isDown() const
Shadow bytes around the buggy address:
  0x0c2c7fff9ce0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c7fff9cf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2c7fff9d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2c7fff9d10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2c7fff9d20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c2c7fff9d30: 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c7fff9d40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c7fff9d50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2c7fff9d60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2c7fff9d70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2c7fff9d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==47903==ABORTING
13:25:10: /home/mitch/dev/temp/quick-qt_dev2_debug-Debug/quick exited with code 1

      Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          People

            qtqmlteam Qt Qml Team User
            mitch_curtis Mitch Curtis
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes