Details
-
Bug
-
Resolution: Fixed
-
P1: Critical
-
6.6.0, 6.8
-
Ubuntu 22.04 LTS
clang 14.0.0
-
e47bbb0c8 (dev), 36f297060 (6.7), 7533b621e (dev)
Description
- Have a build of Qt including qtsvg.
No sanitizers needed. - Build the attached project:
qt-cmake /tmp/report/ && cmake --build .
- Run the resulting binary passing the attached input file as parameter:
./report /tmp/report/61586.svg
The program crashes when dereferencing a null pointer:
1 QHash<QString, QSvgRefCounter<QSvgFont>>::valueImpl<QString, QHash<QString, QSvgRefCounter<QSvgFont>>::value(QString const&) const::{lambda()#1}>(QString const&, QHash<QString, QSvgRefCounter<QSvgFont>>::value(QString const&) const::{lambda()#1}&&) const qhash.h 1046 0x7ffff7f7afcf 2 QHash<QString, QSvgRefCounter<QSvgFont>>::value qhash.h 1056 0x7ffff7f7af6d 3 QHash<QString, QSvgRefCounter<QSvgFont>>::operator[] qhash.h 1083 0x7ffff7f77daf 4 QSvgTinyDocument::svgFont qsvgtinydocument.cpp 363 0x7ffff7f769ad 5 parseFont qsvghandler.cpp 1353 0x7ffff7f114f3 6 parseStyle qsvghandler.cpp 2386 0x7ffff7f0fc08 7 parseStyle qsvghandler.cpp 2429 0x7ffff7f05896 8 cssStyleLookup qsvghandler.cpp 2071 0x7ffff7f0f60d 9 parseStopNode qsvghandler.cpp 3879 0x7ffff7f22823 10 QSvgHandler::startElement qsvghandler.cpp 4776 0x7ffff7f02b98 11 QSvgHandler::parse qsvghandler.cpp 4571 0x7ffff7f00ef3 12 QSvgHandler::init qsvghandler.cpp 4471 0x7ffff7f00b24 13 QSvgHandler::QSvgHandler qsvghandler.cpp 4444 0x7ffff7f00a24 14 QSvgTinyDocument::load qsvgtinydocument.cpp 214 0x7ffff7f75427 15 loadDocument<QByteArray> qsvgrenderer.cpp 400 0x7ffff7f5391a 16 QSvgRenderer::load qsvgrenderer.cpp 430 0x7ffff7f52f04 17 QSvgRenderer::QSvgRenderer qsvgrenderer.cpp 146 0x7ffff7f52eb6 18 main main.cpp 13 0x555555555354
Google's oss-fuzz found this as issue 61586.
