Details
-
Bug
-
Resolution: Done
-
P2: Important
-
5.15.0
-
None
-
All
-
efd3c7bf2427c8237857e56ecd51b8da3ce43a6e (qt/qtbase/dev) a17c9b4f5c093c6624990419b2df555c8c9399a1 (qt/qtbase/5.15) 11740acbca1f7de9598844244470ac48ed5c5f36 (qt/qtbase/5.12)
Description
Qt calls the `qt_asciiToDouble` function in many places (implemented here: https://github.com/qt/qtbase/blob/ba3b53cb501a77144aa6259e48a8e0edc3d1481d/src/corelib/text/qlocale_tools.cpp#L280) – this function accepts a "length" argument for the length of the C string it is processing.
Yet in some branches in this function it does not consult the length argument and may end up reading past the end of the buffer. Such as here: https://github.com/qt/qtbase/blob/ba3b53cb501a77144aa6259e48a8e0edc3d1481d/src/corelib/text/qlocale_tools.cpp#L297 or here https://github.com/qt/qtbase/blob/ba3b53cb501a77144aa6259e48a8e0edc3d1481d/src/corelib/text/qlocale_tools.cpp#L340 .
Suggest: using `qstrncmp` instead of `qstrcmp` and/or writing this function to be more defensive and respect the string length passed to it. This is a bug waiting to explode... since this function is called all over the place in the codebase...
Attachments
Issue Links
- relates to
-
QTBUG-74286 Reimplement QLocaleData::stringTo(Uns|)LongLong() to take size of string
-
- Closed
-
-
QTBUG-66115 Let (QString|QLocale)::toFloat ignore trailing non-digits
-
- Open
-
- resulted from
-
-
- Closed
-
| For Gerrit Dashboard: QTBUG-85580 | ||||||
|---|---|---|---|---|---|---|
| # | Subject | Branch | Project | Status | CR | V |
| 308481,3 | QByteArray::toDouble: fix buffer overflow reads on fromRawData() | dev | qt/qtbase | Status: MERGED | +2 | 0 |
| 308792,2 | QByteArray::toDouble: fix buffer overflow reads on fromRawData() | 5.15 | qt/qtbase | Status: MERGED | +2 | 0 |
| 308793,3 | QByteArray::toDouble: fix buffer overflow reads on fromRawData() | 5.12 | qt/qtbase | Status: MERGED | +2 | 0 |