Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Done
Priority: P1: Critical
Fix Version/s: 5.12.4, 5.13.1, 5.14.0 Alpha
Affects Version/s: 5.12.1, 5.12
Component/s: QML: Declarative and Javascript Engine
Labels:
- earmarked_by_ulf
- found_by_libfuzzer
Environment:
Manjaro Linux
clang 7.0.1
gcc 8.2.1

Commits:
ac0d313ab15aa78c444d00ed6a1a202a1351dfa1 (qt/qtdeclarative/5.12)

Description

Have the same program as in ~~QTBUG-73985~~.
Build it on Qt 5.12.1.

Run the program passing the attached input file as parameter: /( {3072140529})? {3072140529}

/
The program crashes:

1  WTF::CrashOnOverflow::overflowed                                                                 CheckedArithmetic.h       80   0x7ffff7e6b8ef 
2  WTF::Checked<unsigned int, WTF::CrashOnOverflow>::operator+=<unsigned int>                       MacroAssemblerX86Common.h 126  0x7ffff7e7d9f9 
3  WTF::Checked<unsigned int, WTF::CrashOnOverflow>::operator+=<unsigned int, WTF::CrashOnOverflow> CheckedArithmetic.h       596  0x7ffff7e7d9f9 
4  JSC::Yarr::YarrGenerator<(JSC::Yarr::YarrJITCompileMode)1>::generate                             YarrJIT.cpp               1996 0x7ffff7e7d9f9 
5  JSC::Yarr::YarrGenerator<(JSC::Yarr::YarrJITCompileMode)1>::compile                              YarrJIT.cpp               621  0x7ffff7e8079e 
6  JSC::Yarr::jitCompile                                                                            new_allocator.h           79   0x7ffff7e6b806 
7  QV4::Heap::RegExp::init                                                                          qv4regexp.cpp             225  0x7ffff7c4711d 
8  QV4::MemoryManager::alloc<QV4::RegExp, QV4::ExecutionEngine *, QString, unsigned int>            qv4value_p.h              150  0x7ffff7c4825d 
9  QV4::RegExp::create                                                                              qv4regexp.cpp             200  0x7ffff7c4825d 
10 QV4::CompiledData::CompilationUnit::linkToEngine                                                 qendian_p.h               84   0x7ffff7b38d53 
11 QV4::Script::parse                                                                               qqmlrefcount_p.h          96   0x7ffff7c4c056 
12 QJSEngine::evaluate                                                                              qjsengine.cpp             525  0x7ffff7bac426 
13 main                                                                                             main.cpp                  12   0x55555555533a

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List

backtrace.txt
29 kB
25 Feb '19 12:23
QTBUG-74048.js
0.0 kB
25 Feb '19 12:25

Gerrit Reviews

- Issue Only
- Show All Reviews
- Show Open Reviews
- Show All Issues
- Show Open Issues

For Gerrit Dashboard: QTBUG-74048
#	Subject	Branch	Project	Status	CR	V
245301,10	Add libfuzzer test for QJSEngine::evaluate()	dev	qt/qtdeclarative	Status: MERGED	+2	0
260162,3	Yarr: Reject quantifiers larger than 16M	5.12	qt/qtdeclarative	Status: MERGED	+2	0

Activity

People

Assignee:: Ulf Hermann

Reporter:: Robert Löhning

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 25 Feb '19 12:23

Updated:: 02 May '19 00:16

Resolved:: 30 Apr '19 14:30

Gerrit Reviews

There are no open Gerrit changes

Show There are 2 closed Gerrit changes

Hide There are 2 closed Gerrit changes

Add libfuzzer test for QJSEngine::evaluate(): Gerrit Review:

Yarr: Reject quantifiers larger than 16M: Gerrit Review: