Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-124806

ASAN (fuzzing): dangling pointer deref in qpaintengineex_lineTo eventually called from QSvgPath::drawCommand

    XMLWordPrintable

Details

    Description

      https://oss-fuzz.com/testcase-detail/6052357701763072

      ==2162==ERROR: AddressSanitizer: SEGV on unknown address 0x40020000 (pc 0x09c5ad3a bp 0xffba2638 sp 0xffba2600 T0)
	==2162==The signal is caused by a WRITE memory access.
	    #0 0x9c5ad3a in add /src/qt/qtbase/src/gui/painting/qdatabuffer_p.h:66:21
	    #1 0x9c5ad3a in qpaintengineex_lineTo(double, double, void*) /src/qt/qtbase/src/gui/painting/qpaintengineex.cpp:312:35
	    #2 0x9e3c9b9 in QStroker::joinPoints(double, double, QLineF const&, QStroker::LineJoinMode) /src/qt/qtbase/src/gui/painting/qstroker.cpp:0
	    #3 0x9e334cb in QStroker::processCurrentSubpath() /src/qt/qtbase/src/gui/painting/qstroker.cpp:394:9
	    #4 0x9e43692 in moveTo /src/qt/qtbase/src/gui/painting/qstroker_p.h:286:9
	    #5 0x9e43692 in qdashstroker_moveTo(double, double, void*) /src/qt/qtbase/src/gui/painting/qstroker.cpp:965:26
	    #6 0x9e46e25 in emitMoveTo /src/qt/qtbase/src/gui/painting/qstroker_p.h:268:5
	    #7 0x9e46e25 in QDashStroker::processCurrentSubpath() /src/qt/qtbase/src/gui/painting/qstroker.cpp:1222:25
	    #8 0x9e48e95 in end /src/qt/qtbase/src/gui/painting/qstroker.cpp:185:9
	    #9 0x9e48e95 in QDashStroker::end() /src/qt/qtbase/src/gui/painting/qstroker_p.h:362:18
	    #10 0x9c56bdc in QPaintEngineEx::stroke(QVectorPath const&, QPen const&) /src/qt/qtbase/src/gui/painting/qpaintengineex.cpp:499:27
	    #11 0x9c000e5 in QRasterPaintEngine::stroke(QVectorPath const&, QPen const&) /src/qt/qtbase/src/gui/painting/qpaintengine_raster.cpp:1610:25
	    #12 0x9c5ef9e in QPaintEngineEx::draw(QVectorPath const&) /src/qt/qtbase/src/gui/painting/qpaintengineex.cpp:596:9
	    #13 0x9c65dab in QPaintEngineEx::drawPath(QPainterPath const&) /src/qt/qtbase/src/gui/painting/qpaintengineex.cpp:835:9
	    #14 0x9c82d6e in QPainter::drawPath(QPainterPath const&) /src/qt/qtbase/src/gui/painting/qpainter.cpp:0
	    #15 0x90e4e53 in QSvgPath::drawCommand(QPainter*, QSvgExtraStates&) /src/qt/qtsvg/src/svg/qsvggraphics.cpp:112:8
	    #16 0x908acf0 in QSvgNode::fillThenStroke(QPainter*, QSvgExtraStates&) /src/qt/qtsvg/src/svg/qsvgnode.cpp:101:9
	    #17 0x9087c90 in QSvgNode::draw(QPainter*, QSvgExtraStates&) /src/qt/qtsvg/src/svg/qsvgnode.cpp:71:17
	    #18 0x8f8a66a in QSvgTinyDocument::draw(QPainter*, QRectF const&) /src/qt/qtsvg/src/svg/qsvgtinydocument.cpp:258:19
	    #19 0x8f8f83a in QSvgTinyDocument::draw(QPainter*) /src/qt/qtsvg/src/svg/qsvgtinydocument.cpp:406:5
	    #20 0x8f80c22 in QSvgRenderer::render(QPainter*) /src/qt/qtsvg/src/svg/qsvgrenderer.cpp:456:20
	    #21 0x81af958 in LLVMFuzzerTestOneInput /src/qt/qtsvg/tests/libfuzzer/svg/qsvgrenderer/render/main.cpp:24:14
	    #22 0x80b727e in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned int) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
	    #23 0x80a24de in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned int) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
	    #24 0x80a80e0 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned int)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9
	    #25 0x80d0a67 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
	    #26 0xf7c4eed4 in __libc_start_main
	    #27 0x80999a5 in _start

      Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          People

            vgt Eirik Aavitsland
            srutledg Shawn Rutledge
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:

              Gerrit Reviews

                There are no open Gerrit changes