Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-70269

ASAN: heap-buffer-overflow in qstricmp

    XMLWordPrintable

Details

    • macOS
    • 028727c20ca43f1a56bad010354837e238e30024

    Description

      Moc manages to trigger a heap-buffer-overflow when building qtbase:

      lldb -- /Users/erik/dev/builds/qt5.12-debug/qtbase/bin/moc -DQT_NAMESPACE=QtNS -DQT_NO_USING_NAMESPACE -DQT_NO_FOREACH -DQT_NO_NARROWING_CONVERSIONS_IN_CONNECT -DQT_BUILD_CORE_LIB -DQT_BUILDING_QT -DQT_NO_CAST_TO_ASCII -DQT_ASCII_CAST_WARNINGS -DQT_MOC_COMPAT -DQT_USE_QSTRINGBUILDER -DQT_DEPRECATED_WARNINGS -DQT_DISABLE_DEPRECATED_BEFORE=0x050000 -D_LARGEFILE64_SOURCE -D_LARGEFILE_SOURCE -DPCRE2_CODE_UNIT_WIDTH=16 --include /Users/erik/dev/builds/qt5.12-debug/qtbase/src/corelib/.moc/moc_predefs.h -I/Users/erik/dev/qt5.12/qtbase/mkspecs/macx-clang -I/Users/erik/dev/qt5.12/qtbase/src/corelib -I/Users/erik/dev/builds/qt5.12-debug/qtbase/src/corelib/global -I/Users/erik/dev/qt5.12/qtbase/src/3rdparty/harfbuzz/src -I/Users/erik/dev/qt5.12/qtbase/src/3rdparty/md5 -I/Users/erik/dev/qt5.12/qtbase/src/3rdparty/md4 -I/Users/erik/dev/qt5.12/qtbase/src/3rdparty/sha3 -I/Users/erik/dev/qt5.12/qtbase/src/3rdparty/double-conversion/include -I/Users/erik/dev/qt5.12/qtbase/src/3rdparty/double-conversion/include/double-conversion -I/Users/erik/dev/qt5.12/qtbase/src/3rdparty/forkfd -I/Users/erik/dev/qt5.12/qtbase/src/3rdparty/tinycbor/src -I/Users/erik/dev/builds/qt5.12-debug/qtbase/include -I/Users/erik/dev/builds/qt5.12-debug/qtbase/include/QtCore -I/Users/erik/dev/builds/qt5.12-debug/qtbase/include/QtCore/5.12.0 -I/Users/erik/dev/builds/qt5.12-debug/qtbase/include/QtCore/5.12.0/QtCore -I. -I/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/include/c++/v1 -I/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/9.1.0/include -I/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/include -I/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.13.sdk/usr/include /Users/erik/dev/qt5.12/qtbase/src/corelib/animation/qabstractanimation.h -o .moc/moc_qabstractanimation.cpp

(lldb) r

==92766==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000bac7 at pc 0x0001001510ef bp 0x7ffeefbfb230 sp 0x7ffeefbfb228
READ of size 16 at 0x60300000bac7 thread T0
    #0 0x1001510ee in qstricmp(char const*, char const*) qbytearray.cpp:449
    #1 0x1000b535f in qTextCodecNameMatch(char const*, char const*) qtextcodec.cpp:111
    #2 0x1000b8113 in QTextCodec::codecForName(QByteArray const&) qtextcodec.cpp:552
    #3 0x1000b98e6 in QTextCodec::codecForName(char const*) qtextcodec.h:62
    #4 0x1000b918c in setupLocaleMapper() qtextcodec.cpp:172
    #5 0x1000b8fc3 in QTextCodec::codecForLocale() qtextcodec.cpp:716
    #6 0x10020959e in QString::fromLocal8Bit_helper(char const*, int) qstring.cpp:5473
    #7 0x10001f081 in QString::fromLocal8Bit(char const*, int) qstring.h:576
    #8 0x100123df5 in QCoreApplicationPrivate::appName() const qcoreapplication.cpp:180
    #9 0x100125c00 in QCoreApplicationPrivate::init() qcoreapplication.cpp:782
    #10 0x100125a34 in QCoreApplication::QCoreApplication(int&, char**, int) qcoreapplication.cpp:752
    #11 0x100125daa in QCoreApplication::QCoreApplication(int&, char**, int) qcoreapplication.cpp:750
    #12 0x10009d9f1 in runMoc(int, char**) main.cpp:174
    #13 0x1000ae6e1 in main main.cpp:522
    #14 0x7fff58256014 in start (libdyld.dylib:x86_64+0x1014)

0x60300000bac7 is located 9 bytes to the right of 30-byte region [0x60300000baa0,0x60300000babe)
allocated by thread T0 here:
    #0 0x10053ae13 in wrap_malloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56e13)
    #1 0x10015fe3b in QArrayData::allocate(unsigned long, unsigned long, unsigned long, QFlags<QArrayData::AllocationOption>) qarraydata.cpp:118
    #2 0x1001532f6 in QTypedArrayData<char>::allocate(unsigned long, QFlags<QArrayData::AllocationOption>) qarraydata.h:224
    #3 0x100154dba in QByteArray::QByteArray(char const*, int) qbytearray.cpp:1787
    #4 0x100155002 in QByteArray::QByteArray(char const*, int) qbytearray.cpp:1778
    #5 0x1000c3fd6 in QUtf8Codec::name() const qutfcodec.cpp:993
    #6 0x1000b80eb in QTextCodec::codecForName(QByteArray const&) qtextcodec.cpp:552
    #7 0x1000b98e6 in QTextCodec::codecForName(char const*) qtextcodec.h:62
    #8 0x1000b918c in setupLocaleMapper() qtextcodec.cpp:172
    #9 0x1000b8fc3 in QTextCodec::codecForLocale() qtextcodec.cpp:716
    #10 0x10020959e in QString::fromLocal8Bit_helper(char const*, int) qstring.cpp:5473
    #11 0x10001f081 in QString::fromLocal8Bit(char const*, int) qstring.h:576
    #12 0x100123df5 in QCoreApplicationPrivate::appName() const qcoreapplication.cpp:180
    #13 0x100125c00 in QCoreApplicationPrivate::init() qcoreapplication.cpp:782
    #14 0x100125a34 in QCoreApplication::QCoreApplication(int&, char**, int) qcoreapplication.cpp:752
    #15 0x100125daa in QCoreApplication::QCoreApplication(int&, char**, int) qcoreapplication.cpp:750
    #16 0x10009d9f1 in runMoc(int, char**) main.cpp:174
    #17 0x1000ae6e1 in main main.cpp:522
    #18 0x7fff58256014 in start (libdyld.dylib:x86_64+0x1014)

SUMMARY: AddressSanitizer: heap-buffer-overflow qbytearray.cpp:449 in qstricmp(char const*, char const*)
Shadow bytes around the buggy address:
  0x1c0600001700: fd fd fd fa fa fa fd fd fd fa fa fa 00 00 00 00
  0x1c0600001710: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
  0x1c0600001720: fd fd fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa
  0x1c0600001730: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x1c0600001740: fa fa fd fd fd fd fa fa fd fd fd fd fa fa 00 00
=>0x1c0600001750: 00 06 fa fa 00 00 00 06[fa]fa fa fa fa fa fa fa
  0x1c0600001760: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0600001770: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0600001780: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0600001790: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c06000017a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb

(lldb) frame select 5
frame #5: 0x00000001001510ef moc`qstricmp(str1="UTF-8", str2="UTF-8") at qbytearray.cpp:449
   446 	        qptrdiff maxoffset = offset + n;
   447 	        for ( ; offset + 16 <= maxoffset; offset += sizeof(__m128i)) {
   448 	            // load 16 bytes from either source
-> 449 	            __m128i a = _mm_loadu_si128(reinterpret_cast<const __m128i *>(s1 + offset));
   450 	            __m128i b = _mm_loadu_si128(reinterpret_cast<const __m128i *>(s2 + offset));

      Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          People

            thiago Thiago Macieira
            erikv Erik Verbruggen
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes