Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-85580

Often-used function `qt_asciiToDouble` may read past end of buffer

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: P2: Important
    • Resolution: Done
    • Affects Version/s: 5.15.0
    • Fix Version/s: 5.12.10, 5.15.1
    • Component/s: Core: Other
    • Labels:
      None
    • Platform/s:
      All
    • Commits:
      efd3c7bf2427c8237857e56ecd51b8da3ce43a6e (qt/qtbase/dev) a17c9b4f5c093c6624990419b2df555c8c9399a1 (qt/qtbase/5.15) 11740acbca1f7de9598844244470ac48ed5c5f36 (qt/qtbase/5.12)

      Description

      Qt calls the `qt_asciiToDouble` function in many places (implemented here: https://github.com/qt/qtbase/blob/ba3b53cb501a77144aa6259e48a8e0edc3d1481d/src/corelib/text/qlocale_tools.cpp#L280) – this function accepts a "length" argument for the length of the C string it is processing.

      Yet in some branches in this function it does not consult the length argument and may end up reading past the end of the buffer.  Such as here: https://github.com/qt/qtbase/blob/ba3b53cb501a77144aa6259e48a8e0edc3d1481d/src/corelib/text/qlocale_tools.cpp#L297 or here https://github.com/qt/qtbase/blob/ba3b53cb501a77144aa6259e48a8e0edc3d1481d/src/corelib/text/qlocale_tools.cpp#L340 .

       

      Suggest: using `qstrncmp` instead of `qstrcmp` and/or writing this function to be more defensive and respect the string length passed to it.  This is a bug waiting to explode... since this function is called all over the place in the codebase...

       

        Attachments

          Issue Links

          relates to

          Task - A task that needs to be done. QTBUG-74286 Reimplement QLocaleData::stringTo(Uns|)LongLong() to take size of string

          • P3: Somewhat important - Should be fixed, but doesn't affect the release in any way.
          • Open

          Suggestion - Public suggestions QTBUG-66115 Let (QString|QLocale)::toFloat ignore trailing non-digits

          • P3: Somewhat important - Should be fixed, but doesn't affect the release in any way.
          • Open
          resulted from

          Bug - A problem which impairs or prevents the functions of the product. QTBUG-85581 QByteArray .toDouble() does not call nulTerminated()

          • P3: Somewhat important - Should be fixed, but doesn't affect the release in any way.
          • Closed
          No reviews matched the request. Check your Options in the drop-down menu of this sections header.

            Activity

              People

              Assignee:
              thiago Thiago Macieira
              Reporter:
              cculianu calin culianu
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Gerrit Reviews

                  There are no open Gerrit changes