Details
-
Bug
-
Resolution: Done
-
P2: Important
-
5.0.0 RC 1
-
None
-
Linux, Clang trunk/3.3, -sanitize-address
https://codereview.qt-project.org/#change,41476
-
52619ae7787b3c4febb73a02afa623b12edabc97
Description
Many gui/widget unit test crashes due to this buffer overflow in qt_blend_argb32_on_argb32_ssse3.
==27512== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f43dd73da20 at pc 0x7f43fec8718b bp 0x7fff10f6d490 sp 0x7fff10f6d488 READ of size 16 at 0x7f43dd73da20 thread T0 #0 0x7f43fec8718a in qt_blend_argb32_on_argb32_ssse3(unsigned char*, int, unsigned char const*, int, int, int, int) qdrawhelper_ssse3.cpp:159 #1 0x7f43fff7be29 in QRasterPaintEnginePrivate::drawImage(QPointF const&, QImage const&, void (*)(unsigned char*, int, unsigned char const*, int, int, int, int), QRect const&, int, QRect const&) qpaintengine_raster.cpp:1047 #2 0x7f43fffb1fdf in QRasterPaintEngine::drawImage(QPointF const&, QImage const&) qpaintengine_raster.cpp:2163 #3 0x7f43fffaa837 in QRasterPaintEngine::drawPixmap(QPointF const&, QPixmap const&) qpaintengine_raster.cpp:2049 #4 0x7f44000776c3 in QPainter::drawPixmap(QPointF const&, QPixmap const&) qpainter.cpp:5047 #5 0x7f44017c6b96 in QPainter::drawPixmap(QPoint const&, QPixmap const&) qpainter.h:778 #6 0x7f4401d7143e in QGtk2Painter::paintFocus(_GtkWidget*, char const*, QRect const&, GtkStateType, _GtkStyle*, QString const&) qgtk2painter.cpp:449 #7 0x7f4401d25fc9 in QGtkStyle::drawControl(QStyle::ControlElement, QStyleOption const*, QPainter*, QWidget const*) const qgtkstyle.cpp:3393 #8 0x7f4401f3fe23 in QStylePainter::drawControl(QStyle::ControlElement, QStyleOption const&) qstylepainter.h:88 #9 0x7f44023b0ae8 in QPushButton::paintEvent(QPaintEvent*) qpushbutton.cpp:457 #10 0x7f440178edec in QWidget::event(QEvent*) qwidget.cpp:7990 #11 0x7f4401e63939 in QAbstractButton::event(QEvent*) qabstractbutton.cpp:1081 #12 0x7f44023b4b65 in QPushButton::event(QEvent*) qpushbutton.cpp:681 #13 0x7f440150127a in QApplicationPrivate::notify_helper(QObject*, QEvent*) qapplication.cpp:3352 #14 0x7f440151a99c in QApplication::notify(QObject*, QEvent*) qapplication.cpp:3317 #15 0x7f43fdb906a0 in QCoreApplication::notifyInternal(QObject*, QEvent*) qcoreapplication.cpp:767 #16 0x7f44015346de in QCoreApplication::sendSpontaneousEvent(QObject*, QEvent*) qcoreapplication.h:206 #17 0x7f4401764022 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) qwidget.cpp:5094 #18 0x7f4401767d58 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) qwidget.cpp:5287 #19 0x7f44017651e0 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) qwidget.cpp:5143 #20 0x7f4401767d58 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) qwidget.cpp:5287 #21 0x7f44017651e0 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) qwidget.cpp:5143 #22 0x7f440159d7d4 in QWidgetBackingStore::sync() qwidgetbackingstore.cpp:1090 #23 0x7f4401724413 in QWidgetPrivate::syncBackingStore() qwidget.cpp:1663 #24 0x7f4401790815 in QWidget::event(QEvent*) qwidget.cpp:8128 #25 0x7f4402859544 in QMessageBox::event(QEvent*) qmessagebox.cpp:1232 #26 0x7f440150127a in QApplicationPrivate::notify_helper(QObject*, QEvent*) qapplication.cpp:3352 #27 0x7f440151a99c in QApplication::notify(QObject*, QEvent*) qapplication.cpp:3317 #28 0x7f43fdb906a0 in QCoreApplication::notifyInternal(QObject*, QEvent*) qcoreapplication.cpp:767 #29 0x7f43fdbacd59 in QCoreApplication::sendEvent(QObject*, QEvent*) qcoreapplication.h:203 #30 0x7f43fdb998ce in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) qcoreapplication.cpp:1368 #31 0x7f43fdb94620 in QCoreApplication::sendPostedEvents(QObject*, int) qcoreapplication.cpp:1228 #32 0x7f43fdffd31b in postEventSourceDispatch(_GSource*, int (*)(void*), void*) qeventdispatcher_glib.cpp:278 #33 0x7f43fb414d52 in ?? ??:0 0x7f43dd73da20 is located 0 bytes to the right of 6636-byte region [0x7f43dd73c040,0x7f43dd73da2c) allocated by thread T0 here: #0 0x44896a in __interceptor_malloc _asan_rtl_ #1 0x7f43ff060d76 in QImageData::create(QSize const&, QImage::Format, int) qimage.cpp:169 #2 0x7f43ff063f48 in QImage qimage.cpp:743 #3 0x7f43ff06997e in QImage::copy(QRect const&) const qimage.cpp:1114 #4 0x7f4401d5e8f3 in QGtk2Painter::renderTheme(unsigned char*, unsigned char*, QRect const&) const qgtk2painter.cpp:162 #5 0x7f4401d710da in QGtk2Painter::paintFocus(_GtkWidget*, char const*, QRect const&, GtkStateType, _GtkStyle*, QString const&) qgtk2painter.cpp:439 #6 0x7f4401d25fc9 in QGtkStyle::drawControl(QStyle::ControlElement, QStyleOption const*, QPainter*, QWidget const*) const qgtkstyle.cpp:3393 #7 0x7f4401f3fe23 in QStylePainter::drawControl(QStyle::ControlElement, QStyleOption const&) qstylepainter.h:88 #8 0x7f44023b0ae8 in QPushButton::paintEvent(QPaintEvent*) qpushbutton.cpp:457 Shadow byte and word: 0x1fe87bae7b44: 0 0x1fe87bae7b40: 00 00 00 00 00 04 fb fb More shadow bytes: 0x1fe87bae7b20: 00 00 00 00 00 00 00 00 0x1fe87bae7b28: 00 00 00 00 00 00 00 00 0x1fe87bae7b30: 00 00 00 00 00 00 00 00 0x1fe87bae7b38: 00 00 00 00 00 00 00 00 =>0x1fe87bae7b40: 00 00 00 00 00 04 fb fb 0x1fe87bae7b48: fa fa fa fa fa fa fa fa 0x1fe87bae7b50: fa fa fa fa fa fa fa fa 0x1fe87bae7b58: fa fa fa fa fa fa fa fa 0x1fe87bae7b60: fa fa fa fa fa fa fa fa Stats: 20M malloced (24M for red zones) by 108601 calls Stats: 1M realloced by 17554 calls Stats: 8M freed by 72209 calls Stats: 0M really freed by 0 calls Stats: 47M (12195 full pages) mmaped in 77 calls mmaps by size class: 7:94185; 8:14329; 9:3069; 10:2044; 11:1275; 12:768; 13:256; 14:256; 15:32; 16:80; 17:4; 20:3; 23:1; mallocs by size class: 7:89139; 8:12901; 9:2593; 10:1545; 11:1165; 12:667; 13:237; 14:246; 15:25; 16:78; 17:1; 20:3; 23:1; frees by size class: 7:61353; 8:6900; 9:1960; 10:999; 11:514; 12:182; 13:68; 14:156; 15:2; 16:75; rfrees by size class: Stats: malloc large: 108 small slow: 903 ==27512== ABORTING
Attachments
For Gerrit Dashboard: QTBUG-28324 | ||||||
---|---|---|---|---|---|---|
# | Subject | Branch | Project | Status | CR | V |
42835,1 | Fixed invalid memory read in SSSE3 image blending code. | stable | qt/qtbase | Status: MERGED | +2 | 0 |
54340,2 | Fixed invalid memory read in SSSE3 image blending code. | 4.8 | qt/qt | Status: MERGED | +2 | 0 |