Details
-
Bug
-
Resolution: Done
-
P1: Critical
-
5.12
-
None
-
Ubuntu 18.04
4.15.0-23-generic #25-Ubuntu SMP Wed May 23 18:02:16 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
-
Linux/Wayland
Description
- Created a short source code that uses QImage::load()
- Fed the compiled program with a malformed .ppm image (mutated by AFL-fuzzer)
- Assumed that the QImage would fail gracefully
- SIGFPE crash instead
Stackstrace:
scale_pbm_color(unsigned short, unsigned short, unsigned short, unsigned short) (gv=..., bv=..., mx=..., rv=...) at image/qppmhandler.cpp:126
read_pbm_body(QIODevice*, char, int, int, int, QImage*) (device=..., w=..., h=..., mcc=..., outImage=..., type=...) at image/qppmhandler.cpp:193
QPpmHandler::read(QImage*) (this=..., image=...) at image/qppmhandler.cpp:509
QImageReader::read(QImage*) (this=..., image=...) at image/qimagereader.cpp:1253
QImageReader::read() (this=...) at image/qimagereader.cpp:1201
QImage::load(QString const&, char const*) (this=..., fileName=..., format=...) at image/qimage.cpp:3430
main(int, char**) (argc=..., argv=...) at main.cpp:15
Quick analysis:
scale_pbm_color expects unsigned short, but mcc that gets passed from read_pbm_body is int. Conversion from from int to unsigned short truncates the value to zero, which causes division by zero.
Possible fix:
Do a quick sanity check in read_pbm_body to ensure that the conversion is meaningful.