Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-70560

Integer overflow in class QElfParser (qtbase/src/corelib/plugin/qelfparser_p.cpp)

    XMLWordPrintable

Details

    • Linux/X11
    • 9f95f25d2ef3de76d449bc4de5b09e87e9ed537a (qt/qtbase/5.9.7) cb5c24fa26142edaff8fd2c9787dbe45c222b4ff (qt/qtbase/5.11) 91c83d842c54180f98b23a1cf8878b9d7a22f1b2 (qt/qtbase/5.6)

    Description

      The bug is caused by the codes in these two files: qtbase/src/corelib/plugin/qelfparser_p.h and qtbase/src/corelib/plugin/qelfparser_p.cpp.

      In class QElfParser in qelfparser_p.h, it declares a struct ElfSectionHeader that contains a unsigned int variable called "offset". The class also have a int variable called "m_stringTableFileOffset".

      In qelfparser_p.cpp:169, the code assigns the value of strtab.offset, an unsigned int value, to m_stringTableFileOffset, a signed int variable. Because one of the Elf file in our program is very large, it exceeds the maximum value that an int variable can hold. This line of code causes an int overflow, and the int becomes negative as the result.

      Then, in qelfparser_p.cpp:191, the code use m_stringTableFileOffset to navigate a char * pointer. It makes the pointer invalid, and causes a segmentation fault.

      After changing the value type of m_stringTableFileOffset to unsigned int or long long int in Qt library, the crash is solved.

      Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          People

            thiago Thiago Macieira
            hengxiao Heng Xiao
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes