Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-84768

heap-buffer-overflow in mapbox gl

    XMLWordPrintable

Details

    • Bug
    • Resolution: Out of scope
    • P1: Critical
    • None
    • 5.15.0, 5.15.1
    • Location: Mapbox plugins
    • Linux/X11

    Description

      I have created a QML application that show a geographic map using Mapbox GL. While the app runs fine in practise when I compile it in "debug" or "release" mode, seems to contain a serious memory access error that is caught as soon as I enable CLANG's memory access sanitiser, by compiling the app with flags

      CMAKE_CXX_FLAGS="-fsanitize=address -fsanitize=undefined -Werror -Wall -Wextra"

      Once I start the application, CLANG reports a heap-buffer-overflow  in QSGRenderThread and aborts the program. I attach CLANG's detailed error report.

      Sincerel,y

      Stefan Kebekus.

       

      ==6922==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603001d6a83d at pc 0x0000004ea7d9 bp 0x7f29f87d1660 sp 0x7f29f87d0e10
      READ of size 7 at 0x603001d6a83d thread T19 (QSGRenderThread)
      #0 0x4ea7d8 in MemcmpInterceptorCommon(void*, int (void const*, void const*, unsigned long), void const*, void const*, unsigned long) (/home/kebekus/Software/projects/enroute/build-linux-debug/src/enroute+0x4ea7d8)
      #1 0x4eaef8 in memcmp (/home/kebekus/Software/projects/enroute/build-linux-debug/src/enroute+0x4eaef8)
      #2 0x7f29f8cb2098 in bool std::__equal<true>::equal<char>(char const*, char const*, char const*) /opt/rh/devtoolset-4/root/usr/include/c++/5.3.1/bits/stl_algobase.h:826
      #3 0x7f29f8cb2098 in bool std::__equal_aux<char const*, char const*>(char const*, char const*, char const*) /opt/rh/devtoolset-4/root/usr/include/c++/5.3.1/bits/stl_algobase.h:843
      #4 0x7f29f8cb2098 in bool std::equal<char const*, _gnu_cxx::normal_iterator<char const*, std::string> >(char const*, char const*, __gnu_cxx::_normal_iterator<char const*, std::string>) /opt/rh/devtoolset-4/root/usr/include/c++/5.3.1/bits/stl_algobase.h:1065
      #5 0x7f29f8cb2098 in mbgl::style::expression::isFeatureConstant(mbgl::style::expression::Expression const&) /home/qt/work/qt/qtlocation/src/3rdparty/mapbox-gl-native/src/mbgl/style/expression/is_constant.cpp:20
      #6 0x7f29f8cb21bb in operator() /home/qt/work/qt/qtlocation/src/3rdparty/mapbox-gl-native/src/mbgl/style/expression/is_constant.cpp:41
      #7 0x7f29f8cb21bb in std::_Function_handler<void (mbgl::style::expression::Expression const&), mbgl::style::expression::isFeatureConstant(mbgl::style::expression::Expression const&)::'lambda'(mbgl::style::expression::Expression const&)>::_M_invoke(std::_Any_data const&, mbgl::style::expression::Expression const&) /opt/rh/devtoolset-4/root/usr/include/c++/5.3.1/functional:1871
      #8 0x7f29f8e9e49a in std::function<void (mbgl::style::expression::Expression const&)>::operator()(mbgl::style::expression::Expression const&) const /opt/rh/devtoolset-4/root/usr/include/c++/5.3.1/functional:2267
      #9 0x7f29f8e9e49a in mbgl::style::expression::Interpolate::eachChild(std::function<void (mbgl::style::expression::Expression const&)> const&) const /home/qt/work/qt/qtlocation/src/3rdparty/mapbox-gl-native/include/mbgl/style/expression/interpolate.hpp:30
      #10 0x7f29f8cb1fa6 in mbgl::style::expression::isFeatureConstant(mbgl::style::expression::Expression const&) /home/qt/work/qt/qtlocation/src/3rdparty/mapbox-gl-native/src/mbgl/style/expression/is_constant.cpp:44
      #11 0x7f29f8c74d3c in mbgl::style::PropertyExpression<mbgl::Color>::isFeatureConstant() const /home/qt/work/qt/qtlocation/src/3rdparty/mapbox-gl-native/include/mbgl/style/property_expression.hpp:25
      #12 0x7f29f8c74d3c in mbgl::style::conversion::Converter<mbgl::style::DataDrivenPropertyValue<mbgl::Color>, void>::operator()(mbgl::style::conversion::Convertible const&, mbgl::style::conversion::Error&, bool) const /home/qt/work/qt/qtlocation/src/3rdparty/mapbox-gl-native/include/mbgl/style/conversion/data_driven_property_value.hpp:48
      #13 0x7f29f8c76bde in std::experimental::optional<mbgl::style::DataDrivenPropertyValue<mbgl::Color> > mbgl::style::conversion::convert<mbgl::style::DataDrivenPropertyValue<mbgl::Color>, bool>(mbgl::style::conversion::Convertible const&, mbgl::style::conversion::Error&, bool&&) /home/qt/work/qt/qtlocation/src/3rdparty/mapbox-gl-native/include/mbgl/style/conversion.hpp:301
      #14 0x7f29f8c76bde in std::experimental::optional<mbgl::style::conversion::Error> mbgl::style::conversion::setProperty<mbgl::style::FillLayer, mbgl::style::DataDrivenPropertyValue<mbgl::Color>, &(mbgl::style::FillLayer::setFillColor(mbgl::style::DataDrivenPropertyValue<mbgl::Color>)), false>(mbgl::style::Layer&, mbgl::style::conversion::Convertible const&) /home/qt/work/qt/qtlocation/src/3rdparty/mapbox-gl-native/src/mbgl/style/conversion/property_setter.hpp:28
      #15 0x7f29f8c451be in mbgl::style::conversion::setPaintProperty(mbgl::style::Layer&, std::string const&, mbgl::style::conversion::Convertible const&) /home/qt/work/qt/qtlocation/src/3rdparty/mapbox-gl-native/src/mbgl/style/conversion/layer.cpp:34
      #16 0x7f29f8c4525b in operator() /home/qt/work/qt/qtlocation/src/3rdparty/mapbox-gl-native/src/mbgl/style/conversion/layer.cpp:47
      #17 0x7f29f8c4525b in std::_Function_handler<std::experimental::optional<mbgl::style::conversion::Error> (std::string const&, mbgl::style::conversion::Convertible const&), mbgl::style::conversion::setPaintProperties(mbgl::style::Layer&, mbgl::style::conversion::Convertible const&)::'lambda'(std::string const&, mbgl::style::conversion::Convertible const&)>::_M_invoke(std::_Any_data const&, std::string const&, mbgl::style::conversion::Convertible const&) /opt/rh/devtoolset-4/root/usr/include/c++/5.3.1/functional:1857
      #18 0x7f29f8c37c4c in std::function<std::experimental::optional<mbgl::style::conversion::Error> (std::string const&, mbgl::style::conversion::Convertible const&)>::operator()(std::string const&, mbgl::style::conversion::Convertible const&) const /opt/rh/devtoolset-4/root/usr/include/c++/5.3.1/functional:2267
      #19 0x7f29f8c37c4c in auto mbgl::style::conversion::Convertible::vtableEachMember<rapidjson::GenericValue<rapidjson::UTF8<char>, rapidjson::CrtAllocator> const*>(std::aligned_storage<32ul, 8ul>::type const&, std::function<std::experimental::optional<mbgl::style::conversion::Error> (std::string const&, mbgl::style::conversion::Convertible const&)> const&)::'lambda'(std::string const&, rapidjson::GenericValue<rapidjson::UTF8<char>, rapidjson::CrtAllocator> const*&&)::operator()(std::string const&, rapidjson::GenericValue<rapidjson::UTF8<char>, rapidjson::CrtAllocator> const*&&) const /home/qt/work/qt/qtlocation/src/3rdparty/mapbox-gl-native/include/mbgl/style/conversion.hpp:231
      #20 0x7f29f8c37c4c in std::experimental::optional<mbgl::style::conversion::Error> mbgl::style::conversion::ConversionTraits<rapidjson::GenericValue<rapidjson::UTF8<char>, rapidjson::CrtAllocator> const*>::eachMember<auto mbgl::style::conversion::Convertible::vtableEachMember<rapidjson::GenericValue<rapidjson::UTF8<char>, rapidjson::CrtAllocator> const*>(std::aligned_storage<32ul, 8ul>::type const&, std::function<std::experimental::optional<mbgl::style::conversion::Error> (std::string const&, mbgl::style::conversion::Convertible const&)> const&)::'lambda'(std::string const&, rapidjson::GenericValue<rapidjson::UTF8<char>, rapidjson::CrtAllocator> const*&&)>(rapidjson::GenericValue<rapidjson::UTF8<char>, rapidjson::CrtAllocator> const*, rapidjson::GenericValue<rapidjson::UTF8<char>, rapidjson::CrtAllocator> const*&&) /home/qt/work/qt/qtlocation/src/3rdparty/mapbox-gl-native/src/mbgl/style/rapidjson_conversion.hpp:49
      #21 0x7f29f8c37c4c in auto mbgl::style::conversion::Convertible::vtableEachMember<rapidjson::GenericValue<rapidjson::UTF8<char>, rapidjson::CrtAllocator> const*>(std::aligned_storage<32ul, 8ul>::type const&, std::function<std::experimental::optional<mbgl::style::conversion::Error> (std::string const&, mbgl::style::conversion::Convertible const&)> const&) /home/qt/work/qt/qtlocation/src/3rdparty/mapbox-gl-native/include/mbgl/style/conversion.hpp:231
      #22 0x7f29f8c44fcb in mbgl::style::conversion::eachMember(mbgl::style::conversion::Convertible const&, std::function<std::experimental::optional<mbgl::style::conversion::Error> (std::string const&, mbgl::style::conversion::Convertible const&)> const&) /home/qt/work/qt/qtlocation/src/3rdparty/mapbox-gl-native/include/mbgl/style/conversion.hpp:155
      #23 0x7f29f8c44fcb in mbgl::style::conversion::setPaintProperties(mbgl::style::Layer&, mbgl::style::conversion::Convertible const&) /home/qt/work/qt/qtlocation/src/3rdparty/mapbox-gl-native/src/mbgl/style/conversion/layer.cpp:47
      #24 0x7f29f8c45a0e in mbgl::style::conversion::Converter<std::unique_ptr<mbgl::style::Layer, std::default_delete<mbgl::style::Layer> >, void>::operator()(mbgl::style::conversion::Convertible const&, mbgl::style::conversion::Error&) const /home/qt/work/qt/qtlocation/src/3rdparty/mapbox-gl-native/src/mbgl/style/conversion/layer.cpp:221
      #25 0x7f29f8ec11e2 in std::experimental::optional<std::unique_ptr<mbgl::style::Layer, std::default_delete<mbgl::style::Layer> > > mbgl::style::conversion::convert<std::unique_ptr<mbgl::style::Layer, std::default_delete<mbgl::style::Layer> > >(mbgl::style::conversion::Convertible const&, mbgl::style::conversion::Error&) /home/qt/work/qt/qtlocation/src/3rdparty/mapbox-gl-native/include/mbgl/style/conversion.hpp:301
      #26 0x7f29f8ec11e2 in std::experimental::optional<std::unique_ptr<mbgl::style::Layer, std::default_delete<mbgl::style::Layer> > > mbgl::style::conversion::convert<std::unique_ptr<mbgl::style::Layer, std::default_delete<mbgl::style::Layer> > >(rapidjson::GenericValue<rapidjson::UTF8<char>, rapidjson::CrtAllocator> const&, mbgl::style::conversion::Error&) /home/qt/work/qt/qtlocation/src/3rdparty/mapbox-gl-native/src/mbgl/style/rapidjson_conversion.hpp:119
      #27 0x7f29f8ebe114 in mbgl::style::Parser::parseLayer(std::string const&, rapidjson::GenericValue<rapidjson::UTF8<char>, rapidjson::CrtAllocator> const&, std::unique_ptr<mbgl::style::Layer, std::default_delete<mbgl::style::Layer> >&) /home/qt/work/qt/qtlocation/src/3rdparty/mapbox-gl-native/src/mbgl/style/parser.cpp:267
      #28 0x7f29f8ebf043 in mbgl::style::Parser::parseLayers(rapidjson::GenericValue<rapidjson::UTF8<char>, rapidjson::CrtAllocator> const&) /home/qt/work/qt/qtlocation/src/3rdparty/mapbox-gl-native/src/mbgl/style/parser.cpp:212
      #29 0x7f29f8ec0bbc in mbgl::style::Parser::parse(std::string const&) /home/qt/work/qt/qtlocation/src/3rdparty/mapbox-gl-native/src/mbgl/style/parser.cpp:105
      #30 0x7f29f8d70d1b in mbgl::style::Style::Impl::parse(std::string const&) /home/qt/work/qt/qtlocation/src/3rdparty/mapbox-gl-native/src/mbgl/style/style_impl.cpp:79
      #31 0x7f29f8d71f37 in operator() /home/qt/work/qt/qtlocation/src/3rdparty/mapbox-gl-native/src/mbgl/style/style_impl.cpp:71
      #32 0x7f29f8d71f37 in std::_Function_handler<void (mbgl::Response), mbgl::style::Style::Impl::loadURL(std::string const&)::'lambda'(mbgl::Response)>::_M_invoke(std::_Any_data const&, mbgl::Response&&) /opt/rh/devtoolset-4/root/usr/include/c++/5.3.1/functional:1871
      #33 0x7f29f8daafb1 in std::function<void (mbgl::Response)>::operator()(mbgl::Response) const /opt/rh/devtoolset-4/root/usr/include/c++/5.3.1/functional:2267
      #34 0x7f29f8daafb1 in mbgl::FileSourceRequest::setResponse(mbgl::Response const&) /home/qt/work/qt/qtlocation/src/3rdparty/mapbox-gl-native/platform/default/file_source_request.cpp:30
      #35 0x7f29f8c07ddf in mbgl::Mailbox::receive() /home/qt/work/qt/qtlocation/src/3rdparty/mapbox-gl-native/src/mbgl/actor/mailbox.cpp:85
      #36 0x7f29f8c08008 in mbgl::Mailbox::maybeReceive(std::weak_ptr<mbgl::Mailbox>) /home/qt/work/qt/qtlocation/src/3rdparty/mapbox-gl-native/src/mbgl/actor/mailbox.cpp:94
      #37 0x7f29f8c06bd2 in mbgl::util::RunLoop::schedule(std::weak_ptr<mbgl::Mailbox>)::'lambda'()::operator()() const /home/qt/work/qt/qtlocation/src/3rdparty/mapbox-gl-native/include/mbgl/util/run_loop.hpp:78
      #38 0x7f29f8c06bd2 in void mbgl::WorkTaskImpl<mbgl::util::RunLoop::schedule(std::weak_ptr<mbgl::Mailbox>)::'lambda'(), std::tuple<> >::invoke<>(std::integer_sequence<unsigned long>) /home/qt/work/qt/qtlocation/src/3rdparty/mapbox-gl-native/include/mbgl/util/work_task_impl.hpp:43
      #39 0x7f29f8c06bd2 in mbgl::WorkTaskImpl<mbgl::util::RunLoop::schedule(std::weak_ptr<mbgl::Mailbox>)::'lambda'(), std::tuple<> >::operator()() /home/qt/work/qt/qtlocation/src/3rdparty/mapbox-gl-native/include/mbgl/util/work_task_impl.hpp:23
      #40 0x7f29f8c07425 in mbgl::util::RunLoop::process() /home/qt/work/qt/qtlocation/src/3rdparty/mapbox-gl-native/include/mbgl/util/run_loop.hpp:117
      #41 0x7f2a24f76cf2 in QObject::event(QEvent*) /home/qt/work/qt/qtbase/src/corelib/kernel/qobject.cpp:1314
      #42 0x7f2a262e713b in QApplicationPrivate::notify_helper(QObject*, QEvent*) /home/qt/work/qt/qtbase/src/widgets/kernel/qapplication.cpp:3671
      #43 0x7f2a262edd0f in QApplication::notify(QObject*, QEvent*) /home/qt/work/qt/qtbase/src/widgets/kernel/qapplication.cpp:3417
      #44 0x7f2a24f478f7 in QCoreApplication::notifyInternal2(QObject*, QEvent*) /home/qt/work/qt/qtbase/src/corelib/kernel/qcoreapplication.cpp:1061
      #45 0x7f2a24f4a961 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) /home/qt/work/qt/qtbase/src/corelib/kernel/qcoreapplication.cpp:1815
      #46 0x7f2a24fa3a82 in postEventSourceDispatch(_GSource*, int (void*), void*) /home/qt/work/qt/qtbase/src/corelib/kernel/qeventdispatcher_glib.cpp:277
      #47 0x7f2a2231c7ae in g_main_context_dispatch (/lib64/libglib-2.0.so.0+0x527ae)
      #48 0x7f2a2231cb37 (/lib64/libglib-2.0.so.0+0x52b37)
      #49 0x7f2a2231cc02 in g_main_context_iteration (/lib64/libglib-2.0.so.0+0x52c02)
      #50 0x7f2a24fa311b in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) /home/qt/work/qt/qtbase/src/corelib/kernel/qeventdispatcher_glib.cpp:423
      #51 0x7f2a27bbed99 in QSGRenderThread::run() /home/qt/work/qt/qtdeclarative/src/quick/scenegraph/qsgthreadedrenderloop.cpp:1048
      #52 0x7f2a24d60414 in QThreadPrivate::start(void*) /home/qt/work/qt/qtbase/src/corelib/thread/qthread_unix.cpp:342
      #53 0x7f2a2492b431 in start_thread (/lib64/libpthread.so.0+0x9431)
      #54 0x7f2a2482a9d2 in clone (/lib64/libc.so.6+0x1019d2)

      0x603001d6a83d is located 0 bytes to the right of 29-byte region [0x603001d6a820,0x603001d6a83d)
      allocated by thread T0 here:
      #0 0x541457 in operator new(unsigned long) (/home/kebekus/Software/projects/enroute/build-linux-debug/src/enroute+0x541457)
      #1 0x7f2a24b50f50 (/lib64/libstdc++.so.6+0xc6f50)

      Thread T19 (QSGRenderThread) created by T0 here:
      #0 0x484fe6 in pthread_create (/home/kebekus/Software/projects/enroute/build-linux-debug/src/enroute+0x484fe6)
      #1 0x7f2a24d5fcf0 in QThread::start(QThread::Priority) /home/qt/work/qt/qtbase/src/corelib/thread/qthread_unix.cpp:716

      SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/kebekus/Software/projects/enroute/build-linux-debug/src/enroute+0x4ea7d8) in MemcmpInterceptorCommon(void*, int (void const*, void const*, unsigned long), void const*, void const*, unsigned long)
      Shadow bytes around the buggy address:
      0x0c06803a54b0: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa
      0x0c06803a54c0: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
      0x0c06803a54d0: fd fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa
      0x0c06803a54e0: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa
      0x0c06803a54f0: fa fa fd fd fd fa fa fa fd fd fd fa fa fa 00 00
      =>0x0c06803a5500: 00 04 fa fa 00 00 00[05]fa fa 00 00 00 04 fa fa
      0x0c06803a5510: 00 00 00 04 fa fa 00 00 00 00 fa fa 00 00 00 04
      0x0c06803a5520: fa fa 00 00 00 04 fa fa 00 00 00 00 fa fa 00 00
      0x0c06803a5530: 00 03 fa fa 00 00 00 02 fa fa 00 00 00 02 fa fa
      0x0c06803a5540: 00 00 00 00 fa fa 00 00 00 02 fa fa 00 00 00 02
      0x0c06803a5550: fa fa 00 00 00 02 fa fa 00 00 00 00 fa fa 00 00
      Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable: 00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone: fa
      Freed heap region: fd
      Stack left redzone: f1
      Stack mid redzone: f2
      Stack right redzone: f3
      Stack after return: f5
      Stack use after scope: f8
      Global redzone: f9
      Global init order: f6
      Poisoned by user: f7
      Container overflow: fc
      Array cookie: ac
      Intra object redzone: bb
      ASan internal: fe
      Left alloca redzone: ca
      Right alloca redzone: cb
      Shadow gap: cc
      ==6922==ABORTING

      Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          People

            paangele Paolo Angelelli
            skebekus Stefan Kebekus
            Votes:
            2 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes