Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-69449

QPpmHandler crashes when malformed image causes dividing by zero (SIGFPE)

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • P1: Critical
    • 5.9.7, 5.11.2
    • 5.12
    • Image formats
    • None
    • Ubuntu 18.04
      4.15.0-23-generic #25-Ubuntu SMP Wed May 23 18:02:16 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
    • Linux/Wayland

    Description

      1. Created a short source code that uses QImage::load()
      2. Fed the compiled program with a malformed .ppm image (mutated by AFL-fuzzer)
      3. Assumed that the QImage would fail gracefully
      4. SIGFPE crash instead

      Stackstrace:

      scale_pbm_color(unsigned short, unsigned short, unsigned short, unsigned short) (gv=..., bv=..., mx=..., rv=...) at image/qppmhandler.cpp:126
      read_pbm_body(QIODevice*, char, int, int, int, QImage*) (device=..., w=..., h=..., mcc=..., outImage=..., type=...) at image/qppmhandler.cpp:193
      QPpmHandler::read(QImage*) (this=..., image=...) at image/qppmhandler.cpp:509
      QImageReader::read(QImage*) (this=..., image=...) at image/qimagereader.cpp:1253
      QImageReader::read() (this=...) at image/qimagereader.cpp:1201
      QImage::load(QString const&, char const*) (this=..., fileName=..., format=...) at image/qimage.cpp:3430
      main(int, char**) (argc=..., argv=...) at main.cpp:15

       

      Quick analysis:

      scale_pbm_color expects unsigned short, but mcc that gets passed from read_pbm_body is int. Conversion from from int to unsigned short truncates the value to zero, which causes division by zero.

      Possible fix:

      Do a quick sanity check in read_pbm_body to ensure that the conversion is meaningful.

      Attachments

        For Gerrit Dashboard: QTBUG-69449
        # Subject Branch Project Status CR V

        Activity

          People

            vgt Eirik Aavitsland
            joni.ahonen Joni Ahonen
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes