-
Bug
-
Resolution: Done
-
P2: Important
-
5.15
-
204b6c99089bcf7893be326e7d0076402b7abf0c (qt/qtbase/dev) db0893a7e302fac1808a67541ef190293661348d (qt/qtbase/5.15), 66081c52b (dev), 5deee1e5a (6.9), 1c453be01 (6.8), 040839c10 (tqtc/lts-6.5), 12cec9769 (tqtc/lts-5.15)
In qcssparser.cpp:1701
features |= static_cast<int>(findKnownValue(d->values.value(i).variant.toString(), styleFeatures, NumKnownStyleFeatures));
styleFeatures is an array of length 3, and NumKnownStyleFeatures is 4. Inside findKnownValue() the array is accessed at index 3, which is an out-of-bounds access.
See screenshot for visualisation of the issue.
- mentioned in
-
Page Loading...
| For Gerrit Dashboard: QTBUG-83817 | ||||||
|---|---|---|---|---|---|---|
| # | Subject | Branch | Project | Status | CR | V |
| 299749,3 | Fix out-of-bounds access when searching arrays | dev | qt/qtbase | Status: MERGED | +2 | 0 |
| 300999,2 | Fix out-of-bounds access when searching arrays | 5.15 | qt/qtbase | Status: MERGED | +2 | 0 |
| 630248,2 | QCssParser: attempt to fix Coverity OVERRUN issue | dev | qt/qtbase | Status: MERGED | +2 | 0 |
| 630703,2 | QCssParser: attempt to fix Coverity OVERRUN issue | 6.9 | qt/qtbase | Status: MERGED | +2 | 0 |
| 630804,2 | QCssParser: attempt to fix Coverity OVERRUN issue | 6.8 | qt/qtbase | Status: MERGED | +2 | 0 |
| 630843,2 | QCssParser: attempt to fix Coverity OVERRUN issue | tqtc/lts-6.5 | qt/tqtc-qtbase | Status: MERGED | +2 | 0 |
| 630881,2 | QCssParser: attempt to fix Coverity OVERRUN issue | tqtc/lts-5.15 | qt/tqtc-qtbase | Status: MERGED | +2 | 0 |