Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-57553

QString::fromRawData heap buffer overflow found with libFuzzer

    XMLWordPrintable

Details

    • Bug
    • Resolution: Invalid
    • P1: Critical
    • None
    • 5.7.0
    • Core: QString and Unicode
    • None
    • ArchLinux
      clang-3.9
      qtbase-5.7

    Description

      Hi Qt developers,

      test_fuzzer.cpp
      extern "C" int LLVMFuzzerInitialize(int *argc, char ***argv) 
{
    qDebug() << "DEBUG:" << __PRETTY_FUNCTION__ << *argc;
    qDebug() << "DEBUG:" << __PRETTY_FUNCTION__ << *argv[0];
    return 0;
}

extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) 
{
    qDebug() << "DEBUG:" << __PRETTY_FUNCTION__ << QString::fromRawData((const QChar *)Data, Size);
    return 0;
}

      CMakeLists.txt and clang++ build parameter can be found here https://github.com/LeetcodeCN/leetcodecn.github.io/tree/master/src/qtbase

      ./test_fuzzer (without provided corpus)
      DEBUG: int LLVMFuzzerInitialize(int *, char ***) 1
DEBUG: int LLVMFuzzerInitialize(int *, char ***) ./test_fuzzer
INFO: Seed: 3156976563
INFO: Loaded 0 modules (0 guards): 
INFO: -max_len is not provided, using 64
INFO: A corpus is not provided, starting from an empty corpus
#0      READ units: 1
#1      INITED cov: 107 bits: 104 corp: 1/1b exec/s: 0 rss: 20Mb
DEBUG: int LLVMFuzzerTestOneInput(const uint8_t *, size_t) "ਊ\u0000"
DEBUG: int LLVMFuzzerTestOneInput(const uint8_t *, size_t) "\u0001\u0000\u0000\u0000ਊ\u0000\u0000\u0000\u0002\u0000"
DEBUG: int LLVMFuzzerTestOneInput(const uint8_t *, size_t) "\u0001\u0000\uFFFF\uFFFF\uFFFF\uFFFF\u0000\u0000ਊ\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0003\u0000"
#4      NEW    cov: 110 bits: 107 corp: 2/19b exec/s: 0 rss: 21Mb L: 18 MS: 3 CopyPart-CMP-CMP- DE: "\x01\x00\x00\x00\x00\x00\x00\x00"-"\xff\xff\xff\xff\xff\xff\xff\xff"-
DEBUG: int LLVMFuzzerTestOneInput(const uint8_t *, size_t) "\uFFFF\uFFFF\uFFFF\uFFFF\uFFFF\uFFFF\u0000\u0000ਊ\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0003\u0000"
==23824==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60600000e933 at pc 0x000000468e12 bp 0x7ffc87217e20 sp 0x7ffc872175d0  
READ of size 2 at 0x60600000e933 thread T0  
   #0 0x468e11 in __interceptor_memcpy.part.45 (/data/project/LeetcodeCN/leetcodecn.github.io/src/qtbase/build/test_fuzzer+0x468e11) 
   #1 0x7f49243498b1 in QString::append(QChar const*, int) (/usr/lib/libQt5Core.so.5+0x1338b1) 
   #2 0x7f49243ae9c6 in QDebug::putString(QChar const*, unsigned long) (/usr/lib/libQt5Core.so.5+0x1989c6) 
   #3 0x511df8 in QDebug::operator<<(QString const&) /usr/include/qt/QtCore/qdebug.h:154:52

      Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          People

            thiago Thiago Macieira
            lesliezhai Leslie Zhai
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes