Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-139073

The QRingBuffer::free function contains an integer overflow vulnerability, which may cause bufferSize to become negative.

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: P2: Important P2: Important
    • None
    • 6.10.0 Beta2
    • Core: Containers and Algorithms
    • None
    • Operating System: Linux 4.19.0-amd64-desktop
      Compiler: GCC with C++17
      Qt Version: Qt 6.x
      Architecture: x86_64
      Memory: 64-bit system
    • All

        1. Bug Description

      An integer overflow issue was discovered in the QRingBuffer::free function, which can cause bufferSize to become negative when processing large chunks.

        1. Problem Location
      • File: src/corelib/tools/qringbuffer.cpp
      • Function: QRingBuffer::free()
      • Line: 99
        1. Problematic Code
          ```cpp
          void QRingBuffer::free(qint64 bytes)
          {
              Q_ASSERT(bytes <= bufferSize);
              
              while (bytes > 0)
          Unknown macro: {        const qint64 chunkSize = buffers.constFirst().size();                if (buffers.size() == 1 || chunkSize > bytes) {             // ... handle single chunk         }                bufferSize -= chunkSize;  // Line 99}

          }
          ```

        1. Trigger Conditions
      • When QRingBuffer contains chunks close to the qint64 maximum value
      • Especially when chunkSize > bufferSize
        1. Impact
      • bufferSize becomes negative
      • Causes subsequent Q_ASSERT checks to fail
      • May cause program crashes
      • Affects I/O operations that depend on QRingBuffer
        1. Verification Method
          Created test script to verify this bug:
      • Added two chunks close to qint64 maximum value
      • Called free function
      • Observed bufferSize changing from 9223372036854774807 to -2002
        1. Fix Recommendation
          Add overflow check before bufferSize -= chunkSize:
          ```cpp
          if (Q_UNLIKELY(chunkSize > bufferSize)) {     bufferSize = 0;     break; }

          bufferSize -= chunkSize;
          ```

        1. Steps to Reproduce
          1. Create a QRingBuffer with large chunks (close to qint64 max)
          2. Call the free() function
          3. Observe bufferSize becoming negative
          4. Program may crash due to failed assertions
        1. Test Results

      — Test 3: Integer underflow trigger ---Added chunk of size: 9223372036854774807Current bufferSize: 9223372036854774807Added chunk of size: 9223372036854774807Current bufferSize: -2002 ← Integer underflow!Total buffer size before free: -2002This should trigger integer underflow...=== Starting free operation ===Requested to free: 9223372036854774807 bytesInitial bufferSize: -2002Assertion bytes <= bufferSize' failed. Program crashed with core dump. ``

        1. build_and_run_test.sh
          2 kB
          mengci cai
        2. run_simple_test.sh
          2 kB
          mengci cai
        3. test_qringbuffer_simple.cpp
          7 kB
          mengci cai
        For Gerrit Dashboard: QTBUG-139073
        # Subject Branch Project Status CR V
        667444,1 corelib: fix integer overflow in QRingBuffer::free() and related functions dev qt/qtbase Status: NEW -1 0

            thiago Thiago Macieira
            caimengci_uniontech mengci cai
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:

                There is 1 open Gerrit change