Details
-
Bug
-
Resolution: Done
-
P2: Important
-
5.9.6, 5.11.1
-
None
-
RHEL 65
-
Linux/X11
-
9f95f25d2ef3de76d449bc4de5b09e87e9ed537a (qt/qtbase/5.9.7) cb5c24fa26142edaff8fd2c9787dbe45c222b4ff (qt/qtbase/5.11) 91c83d842c54180f98b23a1cf8878b9d7a22f1b2 (qt/qtbase/5.6)
Description
The bug is caused by the codes in these two files: qtbase/src/corelib/plugin/qelfparser_p.h and qtbase/src/corelib/plugin/qelfparser_p.cpp.
In class QElfParser in qelfparser_p.h, it declares a struct ElfSectionHeader that contains a unsigned int variable called "offset". The class also have a int variable called "m_stringTableFileOffset".
In qelfparser_p.cpp:169, the code assigns the value of strtab.offset, an unsigned int value, to m_stringTableFileOffset, a signed int variable. Because one of the Elf file in our program is very large, it exceeds the maximum value that an int variable can hold. This line of code causes an int overflow, and the int becomes negative as the result.
Then, in qelfparser_p.cpp:191, the code use m_stringTableFileOffset to navigate a char * pointer. It makes the pointer invalid, and causes a segmentation fault.
After changing the value type of m_stringTableFileOffset to unsigned int or long long int in Qt library, the crash is solved.
Attachments
| For Gerrit Dashboard: QTBUG-70560 | ||||||
|---|---|---|---|---|---|---|
| # | Subject | Branch | Project | Status | CR | V |
| 240074,2 | Fix integer overflow in very long sections in ELF objects | 5.11 | qt/qtbase | Status: MERGED | +2 | 0 |
| 240128,3 | Fix integer overflow in very long sections in ELF objects | 5.9 | qt/qtbase | Status: MERGED | +2 | 0 |
| 240878,2 | Fix integer overflow in very long sections in ELF objects | 5.6 | qt/qtbase | Status: MERGED | +2 | 0 |