Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-86051

heap-buffer-overflow in QXmlStreamReader

    XMLWordPrintable

Details

    • 8

    Description

      When building dev on macOS I get this:

      =================================================================
==93510==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000755f at pc 0x000109b5a8a5 bp 0x7ffee61cef10 sp 0x7ffee61cef08
READ of size 16 at 0x60300000755f thread T0
moc /Users/mitch/dev/qt-dev2/qtbase/src/network/access/qnetworkfile_p.h
compiling /Users/mitch/dev/qt-dev2/qtbase/src/gui/kernel/qt_gui_pch.h
moc /Users/mitch/dev/qt-dev2/qtbase/src/network/access/qnetworkdiskcache.h
compiling /Users/mitch/dev/qt-dev2/qtbase/src/gui/kernel/qt_gui_pch.h
moc /Users/mitch/dev/qt-dev2/qtbase/src/network/access/qhttp2protocolhandler_p.h
compiling /Users/mitch/dev/qt-dev2/qtbase/src/network/socket/qabstractsocket.cpp
rcc /Users/mitch/dev/qt-dev2/qtbase/src/gui/painting/qpdf.qrc
compiling /Users/mitch/dev/qt-dev2/qtbase/src/network/socket/qtcpserver.cpp
moc /Users/mitch/dev/qt-dev2/qtbase/src/network/access/qhttpmultipart.h
compiling /Users/mitch/dev/qt-dev2/qtbase/src/network/socket/qsocks5socketengine.cpp
compiling /Users/mitch/dev/qt-dev2/qtbase/src/3rdparty/md4c/md4c.c
/Users/mitch/dev/qt-dev2/qtbase/src/3rdparty/md4c/md4c.c:889:73: warning: unused parameter 'n_lines' [-Wunused-parameter]
md_merge_lines(MD_CTX* ctx, OFF beg, OFF end, const MD_LINE* lines, int n_lines,
                                                                        ^
/Users/mitch/dev/qt-dev2/qtbase/src/3rdparty/md4c/md4c.c:1234:35: warning: unused parameter 'ctx' [-Wunused-parameter]
md_is_hex_entity_contents(MD_CTX* ctx, const CHAR* text, OFF beg, OFF max_end, OFF* p_end)
                                  ^
/Users/mitch/dev/qt-dev2/qtbase/src/3rdparty/md4c/md4c.c:1250:35: warning: unused parameter 'ctx' [-Wunused-parameter]
md_is_dec_entity_contents(MD_CTX* ctx, const CHAR* text, OFF beg, OFF max_end, OFF* p_end)
                                  ^
/Users/mitch/dev/qt-dev2/qtbase/src/3rdparty/md4c/md4c.c:1266:37: warning: unused parameter 'ctx' [-Wunused-parameter]
md_is_named_entity_contents(MD_CTX* ctx, const CHAR* text, OFF beg, OFF max_end, OFF* p_end)
                                    ^
/Users/mitch/dev/qt-dev2/qtbase/src/3rdparty/md4c/md4c.c:1372:27: warning: unused parameter 'ctx' [-Wunused-parameter]
md_free_attribute(MD_CTX* ctx, MD_ATTRIBUTE_BUILD* build)
                          ^
/Users/mitch/dev/qt-dev2/qtbase/src/3rdparty/md4c/md4c.c:1577:35: warning: suggest braces around initialization of subobject [-Wmissing-braces]
    MD_UNICODE_FOLD_INFO a_fi = { 0 };
                                  ^
                                  {}
/Users/mitch/dev/qt-dev2/qtbase/src/3rdparty/md4c/md4c.c:1578:35: warning: suggest braces around initialization of subobject [-Wmissing-braces]
    MD_UNICODE_FOLD_INFO b_fi = { 0 };
                                  ^
                                  {}
/Users/mitch/dev/qt-dev2/qtbase/src/3rdparty/md4c/md4c.c:1587:21: warning: comparison of integers of different signs: 'MD_OFFSET' (aka 'unsigned int') and 'int' [-Wsign-compare]
        if(a_fi_off >= a_fi.n_codepoints) {
           ~~~~~~~~ ^  ~~~~~~~~~~~~~~~~~
/Users/mitch/dev/qt-dev2/qtbase/src/3rdparty/md4c/md4c.c:1592:21: warning: comparison of integers of different signs: 'MD_OFFSET' (aka 'unsigned int') and 'int' [-Wsign-compare]
        if(b_fi_off >= b_fi.n_codepoints) {
           ~~~~~~~~ ^  ~~~~~~~~~~~~~~~~~
/Users/mitch/dev/qt-dev2/qtbase/src/3rdparty/md4c/md4c.c:3920:46: warning: unused parameter 'lines' [-Wunused-parameter]
md_analyze_marks(MD_CTX* ctx, const MD_LINE* lines, int n_lines,
                                             ^
/Users/mitch/dev/qt-dev2/qtbase/src/3rdparty/md4c/md4c.c:3920:57: warning: unused parameter 'n_lines' [-Wunused-parameter]
md_analyze_marks(MD_CTX* ctx, const MD_LINE* lines, int n_lines,
                                                        ^
/Users/mitch/dev/qt-dev2/qtbase/src/3rdparty/md4c/md4c.c:5661:72: warning: missing field 'beg' initializer [-Wmissing-field-initializers]
static const MD_LINE_ANALYSIS md_dummy_blank_line = { MD_LINE_BLANK, 0 };
                                                                       ^
moc /Users/mitch/dev/qt-dev2/qtbase/src/network/access/qhttpnetworkreply_p.h
compiling /Users/mitch/dev/qt-dev2/qtbase/src/gui/text/qtextmarkdownimporter.cpp
compiling /Users/mitch/dev/qt-dev2/qtbase/src/network/socket/qhttpsocketengine.cpp
12 warnings generated.
moc /Users/mitch/dev/qt-dev2/qtbase/src/network/access/qhttpthreaddelegate_p.h
/Users/mitch/dev/qt-dev2-fw/qtbase/src/gui/qvkgen_wrapper.sh /Users/mitch/dev/qt-dev2/qtbase/src/gui/vulkan/vk.xml /Users/mitch/dev/qt-dev2/qtbase/header.LGPL vulkan/qvulkanfunctions
    #0 0x109b5a8a4 in aeshash(unsigned char const*, unsigned long, unsigned long) (QtCore:x86_64+0x1078a4)
    #1 0x10a365a17 in QHashPrivate::Data<QHashPrivate::Node<QStringView, QXmlStreamReaderPrivate::Entity> >::findOrInsert(QStringView const&) (QtCore:x86_64+0x912a17)
    #2 0x10a365220 in QHash<QStringView, QXmlStreamReaderPrivate::Entity>::iterator QHash<QStringView, QXmlStreamReaderPrivate::Entity>::emplace<QXmlStreamReaderPrivate::Entity const&>(QStringView&&, QXmlStreamReaderPrivate::Entity const&) (QtCore:x86_64+0x912220)
    #3 0x10a34cebe in QXmlStreamReaderPrivate::QXmlStreamReaderPrivate(QXmlStreamReader*) (QtCore:x86_64+0x8f9ebe)
    #4 0x10a347cd1 in QXmlStreamReader::QXmlStreamReader() (QtCore:x86_64+0x8f4cd1)
    #5 0x109a3ce03 in main (qvkgen:x86_64+0x10000ce03)
    #6 0x7fff71e9ccc8 in start (libdyld.dylib:x86_64+0x1acc8)

0x60300000755f is located 9 bytes to the right of 22-byte region [0x603000007540,0x603000007556)
allocated by thread T0 here:
    #0 0x10aa91abd in wrap_malloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x45abd)
    #1 0x109b0c301 in QArrayData::allocate(QArrayData**, long long, long long, long long, QFlags<QArrayData::ArrayOption>) (QtCore:x86_64+0xb9301)
    #2 0x109c6d4a2 in QString::fromLatin1_helper(char const*, long long) (QtCore:x86_64+0x21a4a2)
    #3 0x10a34ea81 in QXmlStreamReaderPrivate::Entity::createLiteral(QLatin1String, QLatin1String) (QtCore:x86_64+0x8fba81)
    #4 0x10a34ce2b in QXmlStreamReaderPrivate::QXmlStreamReaderPrivate(QXmlStreamReader*) (QtCore:x86_64+0x8f9e2b)
    #5 0x10a347cd1 in QXmlStreamReader::QXmlStreamReader() (QtCore:x86_64+0x8f4cd1)
    #6 0x109a3ce03 in main (qvkgen:x86_64+0x10000ce03)
    #7 0x7fff71e9ccc8 in start (libdyld.dylib:x86_64+0x1acc8)

SUMMARY: AddressSanitizer: heap-buffer-overflow (QtCore:x86_64+0x1078a4) in aeshash(unsigned char const*, unsigned long, unsigned long)
Shadow bytes around the buggy address:
  0x1c0600000e50: 04 fa fa fa 00 00 00 04 fa fa fd fd fd fd fa fa
  0x1c0600000e60: 00 00 00 00 fa fa 00 00 00 00 fa fa fd fd fd fd
  0x1c0600000e70: fa fa fd fd fd fa fa fa fd fd fd fd fa fa 00 00
  0x1c0600000e80: 00 00 fa fa fd fd fd fd fa fa 00 00 00 00 fa fa
  0x1c0600000e90: fd fd fd fd fa fa fd fd fd fd fa fa 00 00 00 00
=>0x1c0600000ea0: fa fa 00 00 00 00 fa fa 00 00 06[fa]fa fa 00 00
  0x1c0600000eb0: 04 fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0600000ec0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0600000ed0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0600000ee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0600000ef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==93510==ABORTING
make[4]: *** [vulkan/qvulkanfunctions.h] Abort trap: 6
make[4]: *** Waiting for unfinished jobs....
compiling /Users/mitch/dev/qt-dev2/qtbase/src/network/socket/qnativesocketengine.cpp
moc /Users/mitch/dev/qt-dev2/qtbase/src/network/access/qnetworkreplyhttpimpl_p.h
=================================================================
==97780==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000755f at pc 0x0001028d98a5 bp 0x7ffeed44ef10 sp 0x7ffeed44ef08
READ of size 16 at 0x60300000755f thread T0
moc /Users/mitch/dev/qt-dev2/qtbase/src/network/kernel/qhostinfo_p.h
compiling /Users/mitch/dev/qt-dev2/qtbase/src/network/socket/qlocalsocket.cpp
    #0 0x1028d98a4 in aeshash(unsigned char const*, unsigned long, unsigned long) (QtCore:x86_64+0x1078a4)
    #1 0x1030e4a17 in QHashPrivate::Data<QHashPrivate::Node<QStringView, QXmlStreamReaderPrivate::Entity> >::findOrInsert(QStringView const&) (QtCore:x86_64+0x912a17)
    #2 0x1030e4220 in QHash<QStringView, QXmlStreamReaderPrivate::Entity>::iterator QHash<QStringView, QXmlStreamReaderPrivate::Entity>::emplace<QXmlStreamReaderPrivate::Entity const&>(QStringView&&, QXmlStreamReaderPrivate::Entity const&) (QtCore:x86_64+0x912220)
    #3 0x1030cbebe in QXmlStreamReaderPrivate::QXmlStreamReaderPrivate(QXmlStreamReader*) (QtCore:x86_64+0x8f9ebe)
    #4 0x1030c6cd1 in QXmlStreamReader::QXmlStreamReader() (QtCore:x86_64+0x8f4cd1)
    #5 0x1027bce03 in main (qvkgen:x86_64+0x10000ce03)
    #6 0x7fff71e9ccc8 in start (libdyld.dylib:x86_64+0x1acc8)

0x60300000755f is located 9 bytes to the right of 22-byte region [0x603000007540,0x603000007556)
allocated by thread T0 here:
    #0 0x1042c2abd in wrap_malloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x45abd)
    #1 0x10288b301 in QArrayData::allocate(QArrayData**, long long, long long, long long, QFlags<QArrayData::ArrayOption>) (QtCore:x86_64+0xb9301)
    #2 0x1029ec4a2 in QString::fromLatin1_helper(char const*, long long) (QtCore:x86_64+0x21a4a2)
    #3 0x1030cda81 in QXmlStreamReaderPrivate::Entity::createLiteral(QLatin1String, QLatin1String) (QtCore:x86_64+0x8fba81)
    #4 0x1030cbe2b in QXmlStreamReaderPrivate::QXmlStreamReaderPrivate(QXmlStreamReader*) (QtCore:x86_64+0x8f9e2b)
    #5 0x1030c6cd1 in QXmlStreamReader::QXmlStreamReader() (QtCore:x86_64+0x8f4cd1)
    #6 0x1027bce03 in main (qvkgen:x86_64+0x10000ce03)
    #7 0x7fff71e9ccc8 in start (libdyld.dylib:x86_64+0x1acc8)

SUMMARY: AddressSanitizer: heap-buffer-overflow (QtCore:x86_64+0x1078a4) in aeshash(unsigned char const*, unsigned long, unsigned long)
Shadow bytes around the buggy address:
  0x1c0600000e50: 04 fa fa fa 00 00 00 04 fa fa fd fd fd fd fa fa
  0x1c0600000e60: 00 00 00 00 fa fa 00 00 00 00 fa fa fd fd fd fd
  0x1c0600000e70: fa fa fd fd fd fa fa fa fd fd fd fd fa fa 00 00
  0x1c0600000e80: 00 00 fa fa fd fd fd fd fa fa 00 00 00 00 fa fa
  0x1c0600000e90: fd fd fd fd fa fa fd fd fd fd fa fa 00 00 00 00
=>0x1c0600000ea0: fa fa 00 00 00 00 fa fa 00 00 06[fa]fa fa 00 00
  0x1c0600000eb0: 04 fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0600000ec0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0600000ed0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0600000ee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0600000ef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==97780==ABORTING
make[4]: *** [vulkan/qvulkanfunctions.h] Abort trap: 6
make[3]: *** [release-all] Error 2
make[3]: *** Waiting for unfinished jobs....
moc /Users/mitch/dev/qt-dev2/qtbase/src/network/kernel/qnetworkproxy.h
moc /Users/mitch/dev/qt-dev2/qtbase/src/network/kernel/qnetconmonitor_p.h
compiling /Users/mitch/dev/qt-dev2/qtbase/src/network/socket/qlocalserver.cpp
make[3]: *** [debug-all] Error 2
make[2]: *** [sub-gui-make_first] Error 2
make[2]: *** Waiting for unfinished jobs....

      Full make output in make.txt. Other relevant files also attached.

      qtbase SHA-1 is 57b94b58df474ebc268993291a669dbad21a1300.

      Attachments

        1. config.opt
          0.3 kB
          Mitch Curtis
        2. config.summary
          11 kB
          Mitch Curtis
        3. configure.txt
          25 kB
          Mitch Curtis
        4. make.txt
          174 kB
          Mitch Curtis

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. QTBUG-87112 Clang ASan reports heap buffer overflow in QHash

          • P1: Critical - Urgent and Important, will STOP the release if matched with set FixVersion field. This includes regressions from the last version that are not edge cases; Data loss; Build issues; All but the most unlikely crashes/lockups/hanging; Serious usability issues and embarrassing bugs & Bugs critical to a deliverable. This is the highest possible priority for requirements.
          • Closed
          No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            People

              agolubev Andrei Golubev
              mitch_curtis Mitch Curtis
              Maurice Kalinowski Maurice Kalinowski
              Alex Blasche Alex Blasche
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Gerrit Reviews

                  There are no open Gerrit changes