Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-85580

Often-used function `qt_asciiToDouble` may read past end of buffer

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: P2: Important P2: Important
    • 5.12.10, 5.15.1
    • 5.15.0
    • Core: Other
    • None
    • All
    • efd3c7bf2427c8237857e56ecd51b8da3ce43a6e (qt/qtbase/dev) a17c9b4f5c093c6624990419b2df555c8c9399a1 (qt/qtbase/5.15) 11740acbca1f7de9598844244470ac48ed5c5f36 (qt/qtbase/5.12)

      Qt calls the `qt_asciiToDouble` function in many places (implemented here: https://github.com/qt/qtbase/blob/ba3b53cb501a77144aa6259e48a8e0edc3d1481d/src/corelib/text/qlocale_tools.cpp#L280) – this function accepts a "length" argument for the length of the C string it is processing.

      Yet in some branches in this function it does not consult the length argument and may end up reading past the end of the buffer.  Such as here: https://github.com/qt/qtbase/blob/ba3b53cb501a77144aa6259e48a8e0edc3d1481d/src/corelib/text/qlocale_tools.cpp#L297 or here https://github.com/qt/qtbase/blob/ba3b53cb501a77144aa6259e48a8e0edc3d1481d/src/corelib/text/qlocale_tools.cpp#L340 .

       

      Suggest: using `qstrncmp` instead of `qstrcmp` and/or writing this function to be more defensive and respect the string length passed to it.  This is a bug waiting to explode... since this function is called all over the place in the codebase...

       

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

            thiago Thiago Macieira
            cculianu calin culianu
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved:

                There are no open Gerrit changes