Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-70269

ASAN: heap-buffer-overflow in qstricmp

    XMLWordPrintable

    Details

    • Platform/s:
      macOS
    • Commits:
      028727c20ca43f1a56bad010354837e238e30024

      Description

      Moc manages to trigger a heap-buffer-overflow when building qtbase:

      lldb -- /Users/erik/dev/builds/qt5.12-debug/qtbase/bin/moc -DQT_NAMESPACE=QtNS -DQT_NO_USING_NAMESPACE -DQT_NO_FOREACH -DQT_NO_NARROWING_CONVERSIONS_IN_CONNECT -DQT_BUILD_CORE_LIB -DQT_BUILDING_QT -DQT_NO_CAST_TO_ASCII -DQT_ASCII_CAST_WARNINGS -DQT_MOC_COMPAT -DQT_USE_QSTRINGBUILDER -DQT_DEPRECATED_WARNINGS -DQT_DISABLE_DEPRECATED_BEFORE=0x050000 -D_LARGEFILE64_SOURCE -D_LARGEFILE_SOURCE -DPCRE2_CODE_UNIT_WIDTH=16 --include /Users/erik/dev/builds/qt5.12-debug/qtbase/src/corelib/.moc/moc_predefs.h -I/Users/erik/dev/qt5.12/qtbase/mkspecs/macx-clang -I/Users/erik/dev/qt5.12/qtbase/src/corelib -I/Users/erik/dev/builds/qt5.12-debug/qtbase/src/corelib/global -I/Users/erik/dev/qt5.12/qtbase/src/3rdparty/harfbuzz/src -I/Users/erik/dev/qt5.12/qtbase/src/3rdparty/md5 -I/Users/erik/dev/qt5.12/qtbase/src/3rdparty/md4 -I/Users/erik/dev/qt5.12/qtbase/src/3rdparty/sha3 -I/Users/erik/dev/qt5.12/qtbase/src/3rdparty/double-conversion/include -I/Users/erik/dev/qt5.12/qtbase/src/3rdparty/double-conversion/include/double-conversion -I/Users/erik/dev/qt5.12/qtbase/src/3rdparty/forkfd -I/Users/erik/dev/qt5.12/qtbase/src/3rdparty/tinycbor/src -I/Users/erik/dev/builds/qt5.12-debug/qtbase/include -I/Users/erik/dev/builds/qt5.12-debug/qtbase/include/QtCore -I/Users/erik/dev/builds/qt5.12-debug/qtbase/include/QtCore/5.12.0 -I/Users/erik/dev/builds/qt5.12-debug/qtbase/include/QtCore/5.12.0/QtCore -I. -I/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/include/c++/v1 -I/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/9.1.0/include -I/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/include -I/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.13.sdk/usr/include /Users/erik/dev/qt5.12/qtbase/src/corelib/animation/qabstractanimation.h -o .moc/moc_qabstractanimation.cpp
      
      (lldb) r
      
      ==92766==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000bac7 at pc 0x0001001510ef bp 0x7ffeefbfb230 sp 0x7ffeefbfb228
      READ of size 16 at 0x60300000bac7 thread T0
          #0 0x1001510ee in qstricmp(char const*, char const*) qbytearray.cpp:449
          #1 0x1000b535f in qTextCodecNameMatch(char const*, char const*) qtextcodec.cpp:111
          #2 0x1000b8113 in QTextCodec::codecForName(QByteArray const&) qtextcodec.cpp:552
          #3 0x1000b98e6 in QTextCodec::codecForName(char const*) qtextcodec.h:62
          #4 0x1000b918c in setupLocaleMapper() qtextcodec.cpp:172
          #5 0x1000b8fc3 in QTextCodec::codecForLocale() qtextcodec.cpp:716
          #6 0x10020959e in QString::fromLocal8Bit_helper(char const*, int) qstring.cpp:5473
          #7 0x10001f081 in QString::fromLocal8Bit(char const*, int) qstring.h:576
          #8 0x100123df5 in QCoreApplicationPrivate::appName() const qcoreapplication.cpp:180
          #9 0x100125c00 in QCoreApplicationPrivate::init() qcoreapplication.cpp:782
          #10 0x100125a34 in QCoreApplication::QCoreApplication(int&, char**, int) qcoreapplication.cpp:752
          #11 0x100125daa in QCoreApplication::QCoreApplication(int&, char**, int) qcoreapplication.cpp:750
          #12 0x10009d9f1 in runMoc(int, char**) main.cpp:174
          #13 0x1000ae6e1 in main main.cpp:522
          #14 0x7fff58256014 in start (libdyld.dylib:x86_64+0x1014)
      
      0x60300000bac7 is located 9 bytes to the right of 30-byte region [0x60300000baa0,0x60300000babe)
      allocated by thread T0 here:
          #0 0x10053ae13 in wrap_malloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56e13)
          #1 0x10015fe3b in QArrayData::allocate(unsigned long, unsigned long, unsigned long, QFlags<QArrayData::AllocationOption>) qarraydata.cpp:118
          #2 0x1001532f6 in QTypedArrayData<char>::allocate(unsigned long, QFlags<QArrayData::AllocationOption>) qarraydata.h:224
          #3 0x100154dba in QByteArray::QByteArray(char const*, int) qbytearray.cpp:1787
          #4 0x100155002 in QByteArray::QByteArray(char const*, int) qbytearray.cpp:1778
          #5 0x1000c3fd6 in QUtf8Codec::name() const qutfcodec.cpp:993
          #6 0x1000b80eb in QTextCodec::codecForName(QByteArray const&) qtextcodec.cpp:552
          #7 0x1000b98e6 in QTextCodec::codecForName(char const*) qtextcodec.h:62
          #8 0x1000b918c in setupLocaleMapper() qtextcodec.cpp:172
          #9 0x1000b8fc3 in QTextCodec::codecForLocale() qtextcodec.cpp:716
          #10 0x10020959e in QString::fromLocal8Bit_helper(char const*, int) qstring.cpp:5473
          #11 0x10001f081 in QString::fromLocal8Bit(char const*, int) qstring.h:576
          #12 0x100123df5 in QCoreApplicationPrivate::appName() const qcoreapplication.cpp:180
          #13 0x100125c00 in QCoreApplicationPrivate::init() qcoreapplication.cpp:782
          #14 0x100125a34 in QCoreApplication::QCoreApplication(int&, char**, int) qcoreapplication.cpp:752
          #15 0x100125daa in QCoreApplication::QCoreApplication(int&, char**, int) qcoreapplication.cpp:750
          #16 0x10009d9f1 in runMoc(int, char**) main.cpp:174
          #17 0x1000ae6e1 in main main.cpp:522
          #18 0x7fff58256014 in start (libdyld.dylib:x86_64+0x1014)
      
      SUMMARY: AddressSanitizer: heap-buffer-overflow qbytearray.cpp:449 in qstricmp(char const*, char const*)
      Shadow bytes around the buggy address:
        0x1c0600001700: fd fd fd fa fa fa fd fd fd fa fa fa 00 00 00 00
        0x1c0600001710: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
        0x1c0600001720: fd fd fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa
        0x1c0600001730: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
        0x1c0600001740: fa fa fd fd fd fd fa fa fd fd fd fd fa fa 00 00
      =>0x1c0600001750: 00 06 fa fa 00 00 00 06[fa]fa fa fa fa fa fa fa
        0x1c0600001760: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x1c0600001770: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x1c0600001780: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x1c0600001790: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x1c06000017a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Container overflow:      fc
        Array cookie:            ac
        Intra object redzone:    bb
        ASan internal:           fe
        Left alloca redzone:     ca
        Right alloca redzone:    cb
      
      (lldb) frame select 5
      frame #5: 0x00000001001510ef moc`qstricmp(str1="UTF-8", str2="UTF-8") at qbytearray.cpp:449
         446 	        qptrdiff maxoffset = offset + n;
         447 	        for ( ; offset + 16 <= maxoffset; offset += sizeof(__m128i)) {
         448 	            // load 16 bytes from either source
      -> 449 	            __m128i a = _mm_loadu_si128(reinterpret_cast<const __m128i *>(s1 + offset));
         450 	            __m128i b = _mm_loadu_si128(reinterpret_cast<const __m128i *>(s2 + offset));
      

        Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            People

            Assignee:
            thiago Thiago Macieira
            Reporter:
            erikv Erik Verbruggen
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Gerrit Reviews

                There are no open Gerrit changes