Qt
  1. Qt
  2. QTBUG-43513

QXmlStreamReader infinite loop with specially crafted input

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: P3: Somewhat important P3: Somewhat important
    • Resolution: Done
    • Affects Version/s: 4.8.6, 5.3.2, 5.4.0
    • Fix Version/s: 5.4.1
    • Labels:
    • Environment:

      Debian/Jessie amd64 with qt-4.8.6 and qt-5.3.2
      OpenBSD-current amd64 with qt-4.8.6

    • Commits:
      817800ad39df10ca78e2c965a61d4d2025df622b

      Description

      With specially crafted input (found with afl), QXmlStreamReader gets into infinite loop consuming 100% CPU. To reproduce, compile the attached reader.cc and run like this:

      ./reader input.xml

      The second call to reader.readNext() won't return and enter infinite loop.

      When running in gdb and interrupted, the backtrace looks like this:

      (gdb) bt
      #0 0x00001dc2d8b9ae23 in QXmlStreamReaderPrivate::scanUntil () from /usr/local/lib/libQtCore.so.9.0
      #1 0x00001dc2d8ba0c00 in QXmlStreamReaderPrivate::parse () from /usr/local/lib/libQtCore.so.9.0
      #2 0x00001dc2d8ba5279 in QXmlStreamReader::readNext () from /usr/local/lib/libQtCore.so.9.0
      #3 0x00001dc0a2b01935 in main () from /home/ralf/dev/qt/reader

      1. input.xml
        0.1 kB
        Ralf Horstmann
      2. reader.cc
        0.3 kB
        Ralf Horstmann
      3. reader.pro
        0.0 kB
        Ralf Horstmann
      For Gerrit Dashboard: QTBUG-43513
      # Subject Project Status CR V

        Activity

        Hide
        Thiago Macieira added a comment -

        Hmm... NUL in the XML header.

        Show
        Thiago Macieira added a comment - Hmm... NUL in the XML header.
        Hide
        Thiago Macieira added a comment -

        Confirmed on 5.4.0 too.

        Show
        Thiago Macieira added a comment - Confirmed on 5.4.0 too.
        Show
        Thiago Macieira added a comment - https://codereview.qt-project.org/102587
        Hide
        Richard Moore (qtnetwork) added a comment -

        This was fixed months ago.

        Show
        Richard Moore (qtnetwork) added a comment - This was fixed months ago.

          People

          • Assignee:
            Thiago Macieira
            Reporter:
            Ralf Horstmann
          • Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Gerrit Reviews

              There are no open Gerrit changes