Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-73938

fuzzing failure in md4c / QTextMarkdownImporter

    XMLWordPrintable

Details

    Description

      =================================================================
==29456==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe07bbd9cb at pc 0x5556405c11d6 bp 0x7ffe07bbd490 sp 0x7ffe07bbd488
READ of size 1 at 0x7ffe07bbd9cb thread T0
    #0 0x5556405c11d5 in QTextEngine::itemize() const (/home/rutledge/dev/qt5-clang-static/qtbase/tests/libfuzzer/gui/text/qtextdocument/setMarkdown/setMarkdown+0xc3f1d5)
    #1 0x5556405d2b7b in QTextEngine::lineNumberForTextPosition(int) (/home/rutledge/dev/qt5-clang-static/qtbase/tests/libfuzzer/gui/text/qtextdocument/setMarkdown/setMarkdown+0xc50b7b)
    #2 0x555640a88e4a in QTextLayout::lineForTextPosition(int) const (/home/rutledge/dev/qt5-clang-static/qtbase/tests/libfuzzer/gui/text/qtextdocument/setMarkdown/setMarkdown+0x1106e4a)
    #3 0x5556406cd2a7 in QTextCursorPrivate::setX() (/home/rutledge/dev/qt5-clang-static/qtbase/tests/libfuzzer/gui/text/qtextdocument/setMarkdown/setMarkdown+0xd4b2a7)
    #4 0x5556406e1428 in QTextCursor::insertText(QString const&, QTextCharFormat const&) (/home/rutledge/dev/qt5-clang-static/qtbase/tests/libfuzzer/gui/text/qtextdocument/setMarkdown/setMarkdown+0xd5f428)
    #5 0x5556406de5af in QTextCursor::insertText(QString const&) (/home/rutledge/dev/qt5-clang-static/qtbase/tests/libfuzzer/gui/text/qtextdocument/setMarkdown/setMarkdown+0xd5c5af)
    #6 0x555640735de8 in QTextMarkdownImporter::cbText(MD_TEXTTYPE, char const*, unsigned int) (/home/rutledge/dev/qt5-clang-static/qtbase/tests/libfuzzer/gui/text/qtextdocument/setMarkdown/setMarkdown+0xdb3de8)
    #7 0x55564072d0f1 in CbText(MD_TEXTTYPE, char const*, unsigned int, void*) (/home/rutledge/dev/qt5-clang-static/qtbase/tests/libfuzzer/gui/text/qtextdocument/setMarkdown/setMarkdown+0xdab0f1)
    #8 0x555640ad915c in md_process_normal_block_contents (/home/rutledge/dev/qt5-clang-static/qtbase/tests/libfuzzer/gui/text/qtextdocument/setMarkdown/setMarkdown+0x115715c)
    #9 0x555640abc450 in md_process_doc (/home/rutledge/dev/qt5-clang-static/qtbase/tests/libfuzzer/gui/text/qtextdocument/setMarkdown/setMarkdown+0x113a450)
    #10 0x555640aae189 in md_parse (/home/rutledge/dev/qt5-clang-static/qtbase/tests/libfuzzer/gui/text/qtextdocument/setMarkdown/setMarkdown+0x112c189)
    #11 0x55564072cb32 in QTextMarkdownImporter::import(QTextDocument*, QString const&) (/home/rutledge/dev/qt5-clang-static/qtbase/tests/libfuzzer/gui/text/qtextdocument/setMarkdown/setMarkdown+0xdaab32)
    #12 0x555640616f54 in QTextDocument::setMarkdown(QString const&, QFlags<QTextDocument::MarkdownFeature>) (/home/rutledge/dev/qt5-clang-static/qtbase/tests/libfuzzer/gui/text/qtextdocument/setMarkdown/setMarkdown+0xc94f54)
    #13 0x55563fc8e00e in LLVMFuzzerTestOneInput (/home/rutledge/dev/qt5-clang-static/qtbase/tests/libfuzzer/gui/text/qtextdocument/setMarkdown/setMarkdown+0x30c00e)
    #14 0x55563fb5a615 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/rutledge/dev/qt5-clang-static/qtbase/tests/libfuzzer/gui/text/qtextdocument/setMarkdown/setMarkdown+0x1d8615)
    #15 0x55563fb5cdfd in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) (/home/rutledge/dev/qt5-clang-static/qtbase/tests/libfuzzer/gui/text/qtextdocument/setMarkdown/setMarkdown+0x1dadfd)
    #16 0x55563fb5ea69 in fuzzer::Fuzzer::MutateAndTestOne() (/home/rutledge/dev/qt5-clang-static/qtbase/tests/libfuzzer/gui/text/qtextdocument/setMarkdown/setMarkdown+0x1dca69)
    #17 0x55563fb616b7 in fuzzer::Fuzzer::Loop(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, fuzzer::fuzzer_allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&) (/home/rutledge/dev/qt5-clang-static/qtbase/tests/libfuzzer/gui/text/qtextdocument/setMarkdown/setMarkdown+0x1df6b7)
    #18 0x55563fb519f5 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/rutledge/dev/qt5-clang-static/qtbase/tests/libfuzzer/gui/text/qtextdocument/setMarkdown/setMarkdown+0x1cf9f5)
    #19 0x55563fb3ef63 in main (/home/rutledge/dev/qt5-clang-static/qtbase/tests/libfuzzer/gui/text/qtextdocument/setMarkdown/setMarkdown+0x1bcf63)
    #20 0x7f826f15c222 in __libc_start_main (/usr/lib/libc.so.6+0x24222)
    #21 0x55563fb44f0d in _start (/home/rutledge/dev/qt5-clang-static/qtbase/tests/libfuzzer/gui/text/qtextdocument/setMarkdown/setMarkdown+0x1c2f0d)

Address 0x7ffe07bbd9cb is located in stack of thread T0 at offset 1323 in frame
    #0 0x5556405b59df in QTextEngine::itemize() const (/home/rutledge/dev/qt5-clang-static/qtbase/tests/libfuzzer/gui/text/qtextdocument/setMarkdown/setMarkdown+0xc339df)

  This frame has 20 object(s):
    [32, 48) 'ref.tmp.i524'
    [64, 80) 'ref.tmp.i'
    [96, 624) 'bracketPairs.i.i.i.i'
    [752, 1260) 'bracketStack.i.i.i.i'
    [1328, 2356) 'stack.i.i.i' <== Memory access at offset 1323 underflows this variable
    [2496, 2498) 'level.i.i.i'
    [2512, 2516) 'runStart.i.i.i'
    [2528, 2532) 'continuationFrom.i.i.i'
    [2544, 2548) 'lastRunWithContent.i.i.i'
    [2560, 2561) 'runHasContent.i.i.i'
    [2576, 2624) 'appendRun.i.i.i'
    [2656, 3168) 'isolateStack.i.i.i'
    [3232, 3760) 'isolatePairs.i.i'
    [3888, 4928) 'runs.i'
    [5056, 21456) 'scriptAnalysis'
    [21712, 21984) 'scripts'
    [22048, 22080) 'itemizer'
    [22112, 22128) 'ref.tmp194'
    [22144, 22160) 'ref.tmp197'
    [22176, 22192) 'ref.tmp201'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/rutledge/dev/qt5-clang-static/qtbase/tests/libfuzzer/gui/text/qtextdocument/setMarkdown/setMarkdown+0xc3f1d5) in QTextEngine::itemize() const
Shadow bytes around the buggy address:
  0x100040f6fae0: f8 f8 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
  0x100040f6faf0: f2 f2 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
  0x100040f6fb00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
  0x100040f6fb10: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
  0x100040f6fb20: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
=>0x100040f6fb30: f8 f8 f2 f2 f2 f2 f2 f2 f2[f2]00 00 00 00 00 00
  0x100040f6fb40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100040f6fb50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100040f6fb60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100040f6fb70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100040f6fb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==29456==ABORTING
MS: 2 CopyPart-CrossOver-; base unit: 60795053e9e27974f36f1e37474d0f5ad2d881e1
0xc2,0xd,0x90,0x2e,0xd,0xe2,0x80,0xab,0x23,0x5d,0x28,0x5d,0x3a,0x3c,0x3a,0x5d,0x3a,0x5d,0xa,0x5b,0x2b,0x3c,0x3a,0xf7,0xff,0xff,0xff,0xfe,0x5d,0xa,0xff,0xff,0xa4,0x5d,0x5d,0x3a,0x60,0x3a,0xa,0x5b,0x60,0xe2,0x81,0xa7,0x5b,0xdd,0x2c,0x2c,0x28,0x5d,0x5d,0x5d,0x5d,0x3a,0x5d,0xa,0x5b,0xb1,0x3c,0xa,0x3c,0xa,0x3c,0xa,0x5d,0x3c,0x3f,0x5b,0xb1,0xa,0x28,0x2e,0x3c,0x3c,0x2e,0x2e,0x3a,0x91,0x91,0x91,0x91,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x26,0x26,0x1d,0xd,0x1d,0xd,0x26,0x26,0x5b,0x26,0x60,0x60,0x60,0x5c,0x3d,0x20,0x5c,0x3d,0x27,0xf7,0xff,0xe2,0x81,0xa9,0x1d,0xd,0x1f,0xd,0x1d,0xff,0xff,0x27,0xf7,0x3e,0x3c,0x21,0xd,0x3e,0x3c,0x21,0x21,0x3e,0x2c,0x21,0x3e,0x3c,0x54,0x3d,0x21,0x3d,0x21,0x3e,
\xc2\x0d\x90.\x0d\xe2\x80\xab#](]:<:]:]\x0a[+<:\xf7\xff\xff\xff\xfe]\x0a\xff\xff\xa4]]:`:\x0a[`\xe2\x81\xa7[\xdd,,(]]]]:]\x0a[\xb1<\x0a<\x0a<\x0a]<?[\xb1\x0a(.<<..:\x91\x91\x91\x91>>>>>>>>>>&&\x1d\x0d\x1d\x0d&&[&```\\= \\='\xf7\xff\xe2\x81\xa9\x1d\x0d\x1f\x0d\x1d\xff\xff'\xf7><!\x0d><!!>,!><T=!=!>
artifact_prefix='./'; Test unit written to ./crash-ce92edc0f2b0fd586d97c7683a1e22497b475370
Base64: wg2QLg3igKsjXShdOjw6XTpdClsrPDr3/////l0K//+kXV06YDoKW2Digadb3SwsKF1dXV06XQpbsTwKPAo8Cl08P1uxCiguPDwuLjqRkZGRPj4+Pj4+Pj4+PiYmHQ0dDSYmWyZgYGBcPSBcPSf3/+KBqR0NHw0d//8n9z48IQ0+PCEhPiwhPjxUPSE9IT4=

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. QTBUG-72936 Crash when passing invalid input to QTextDocument::setMarkdown

          • P1: Critical - Urgent and Important, will STOP the release if matched with set FixVersion field. This includes regressions from the last version that are not edge cases; Data loss; Build issues; All but the most unlikely crashes/lockups/hanging; Serious usability issues and embarrassing bugs & Bugs critical to a deliverable. This is the highest possible priority for requirements.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. QTBUG-72937 heap-buffer-overflow when passing invalid input to QTextDocument::setMarkdown

          • P1: Critical - Urgent and Important, will STOP the release if matched with set FixVersion field. This includes regressions from the last version that are not edge cases; Data loss; Build issues; All but the most unlikely crashes/lockups/hanging; Serious usability issues and embarrassing bugs & Bugs critical to a deliverable. This is the highest possible priority for requirements.
          • Closed
          No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            People

              srutledg Shawn Rutledge
              srutledg Shawn Rutledge
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Gerrit Reviews

                  There are no open Gerrit changes