Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-85580

Often-used function `qt_asciiToDouble` may read past end of buffer

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: P2: Important
    • Resolution: Done
    • Affects Version/s: 5.15.0
    • Fix Version/s: 5.12.10, 5.15.1
    • Component/s: Core: Other
    • Labels:
      None
    • Platform/s:
      All
    • Commits:
      efd3c7bf2427c8237857e56ecd51b8da3ce43a6e (qt/qtbase/dev) a17c9b4f5c093c6624990419b2df555c8c9399a1 (qt/qtbase/5.15) 11740acbca1f7de9598844244470ac48ed5c5f36 (qt/qtbase/5.12)

      Description

      Qt calls the `qt_asciiToDouble` function in many places (implemented here: https://github.com/qt/qtbase/blob/ba3b53cb501a77144aa6259e48a8e0edc3d1481d/src/corelib/text/qlocale_tools.cpp#L280) – this function accepts a "length" argument for the length of the C string it is processing.

      Yet in some branches in this function it does not consult the length argument and may end up reading past the end of the buffer.  Such as here: https://github.com/qt/qtbase/blob/ba3b53cb501a77144aa6259e48a8e0edc3d1481d/src/corelib/text/qlocale_tools.cpp#L297 or here https://github.com/qt/qtbase/blob/ba3b53cb501a77144aa6259e48a8e0edc3d1481d/src/corelib/text/qlocale_tools.cpp#L340 .

       

      Suggest: using `qstrncmp` instead of `qstrcmp` and/or writing this function to be more defensive and respect the string length passed to it.  This is a bug waiting to explode... since this function is called all over the place in the codebase...

       

        Attachments

          Issue Links

          No reviews matched the request. Check your Options in the drop-down menu of this sections header.

            Activity

              People

              Assignee:
              thiago Thiago Macieira
              Reporter:
              cculianu calin culianu
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Gerrit Reviews

                  There are no open Gerrit changes