Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-85580

Often-used function `qt_asciiToDouble` may read past end of buffer

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • P2: Important
    • 5.12.10, 5.15.1
    • 5.15.0
    • Core: Other
    • None
    • All
    • efd3c7bf2427c8237857e56ecd51b8da3ce43a6e (qt/qtbase/dev) a17c9b4f5c093c6624990419b2df555c8c9399a1 (qt/qtbase/5.15) 11740acbca1f7de9598844244470ac48ed5c5f36 (qt/qtbase/5.12)

    Description

      Qt calls the `qt_asciiToDouble` function in many places (implemented here: https://github.com/qt/qtbase/blob/ba3b53cb501a77144aa6259e48a8e0edc3d1481d/src/corelib/text/qlocale_tools.cpp#L280) – this function accepts a "length" argument for the length of the C string it is processing.

      Yet in some branches in this function it does not consult the length argument and may end up reading past the end of the buffer.  Such as here: https://github.com/qt/qtbase/blob/ba3b53cb501a77144aa6259e48a8e0edc3d1481d/src/corelib/text/qlocale_tools.cpp#L297 or here https://github.com/qt/qtbase/blob/ba3b53cb501a77144aa6259e48a8e0edc3d1481d/src/corelib/text/qlocale_tools.cpp#L340 .

       

      Suggest: using `qstrncmp` instead of `qstrcmp` and/or writing this function to be more defensive and respect the string length passed to it.  This is a bug waiting to explode... since this function is called all over the place in the codebase...

       

      Attachments

        1. main.cpp
          0.8 kB
          calin culianu

        Issue Links

          For Gerrit Dashboard: QTBUG-85580
          # Subject Branch Project Status CR V

          Activity

            People

              thiago Thiago Macieira
              cculianu calin culianu
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Gerrit Reviews

                  There are no open Gerrit changes