Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-86200

aeshash goes out of bounds

    XMLWordPrintable

Details

    • Bug
    • Resolution: Unresolved
    • P4: Low
    • None
    • 6.0.0 Alpha
    • Core: Containers and Algorithms
    • None
    • Linux, clang version 10.0.0

    Description

      Building today's qtbase dev branch with

      -platform linux-clang-libc++ -sanitize address

      leads to

      /d/qt/5/kdab/qtbase-dev/build-asan/src/gui/qvkgen_wrapper.sh /d/qt/5/kdab/qtbase-dev/src/gui/vulkan/vk.xml /d/qt/5/kdab/qtbase-dev/header.LGPL vulkan/qvulkanfunctions
=================================================================
==11117==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000119f at pc 0x7f2f620edc54 bp 0x7ffeade91130 sp 0x7ffeade91128
READ of size 16 at 0x60300000119f thread T0
    #0 0x7f2f620edc53 in aeshash(unsigned char const*, unsigned long, unsigned long) /d/qt/5/kdab/qtbase-dev/src/corelib/tools/qhash.cpp:491:20
    #1 0x7f2f620ecfb5 in qHashBits(void const*, unsigned long, unsigned long) /d/qt/5/kdab/qtbase-dev/src/corelib/tools/qhash.cpp:527:16
    #2 0x7f2f620ef169 in qHash(QStringView, unsigned long) /d/qt/5/kdab/qtbase-dev/src/corelib/tools/qhash.cpp:547:12
    #3 0x7f2f62dc306f in QHashPrivate::Data<QHashPrivate::Node<QStringView, QXmlStreamReaderPrivate::Entity> >::find(QStringView const&) const /d/qt/5/kdab/qtbase-dev/build-asan/src/corelib/../../include/QtCore/../../../src/corelib/tools/qhash.h:554:23
    #4 0x7f2f62dc442c in QHashPrivate::Data<QHashPrivate::Node<QStringView, QXmlStreamReaderPrivate::Entity> >::findOrInsert(QStringView const&) /d/qt/5/kdab/qtbase-dev/build-asan/src/corelib/../../include/QtCore/../../../src/corelib/tools/qhash.h:595:23
    #5 0x7f2f62dc3f7b in QHash<QStringView, QXmlStreamReaderPrivate::Entity>::iterator QHash<QStringView, QXmlStreamReaderPrivate::Entity>::emplace<QXmlStreamReaderPrivate::Entity const&>(QStringView&&, QXmlStreamReaderPrivate::Entity const&) /d/qt/5/kdab/qtbase-dev/build-asan/src/corelib/../../include/QtCore/../../../src/corelib/tools/qhash.h:1134:26
    #6 0x7f2f62dc3ca9 in QHash<QStringView, QXmlStreamReaderPrivate::Entity>::iterator QHash<QStringView, QXmlStreamReaderPrivate::Entity>::emplace<QXmlStreamReaderPrivate::Entity const&>(QStringView const&, QXmlStreamReaderPrivate::Entity const&) /d/qt/5/kdab/qtbase-dev/build-asan/src/corelib/../../include/QtCore/../../../src/corelib/tools/qhash.h:1126:16
    #7 0x7f2f62dab69e in QHash<QStringView, QXmlStreamReaderPrivate::Entity>::insert(QStringView const&, QXmlStreamReaderPrivate::Entity const&) /d/qt/5/kdab/qtbase-dev/build-asan/src/corelib/../../include/QtCore/../../../src/corelib/tools/qhash.h:1104:16
    #8 0x7f2f62d916e4 in QXmlStreamReaderPrivate::QXmlStreamReaderPrivate(QXmlStreamReader*) /d/qt/5/kdab/qtbase-dev/src/corelib/serialization/qxmlstream.cpp:813:5
    #9 0x7f2f62d8c1e7 in QXmlStreamReader::QXmlStreamReader() /d/qt/5/kdab/qtbase-dev/src/corelib/serialization/qxmlstream.cpp:401:17
    #10 0x4d6f2d in VkSpecParser::VkSpecParser() /d/qt/5/kdab/qtbase-dev/src/tools/qvkgen/qvkgen.cpp:35:7
    #11 0x4d2672 in main /d/qt/5/kdab/qtbase-dev/src/tools/qvkgen/qvkgen.cpp:492:18
    #12 0x7f2f60d9bf89 in __libc_start_main (/lib64/libc.so.6+0x20f89)
    #13 0x41f5f9 in _start /home/abuild/rpmbuild/BUILD/glibc-2.26/csu/../sysdeps/x86_64/start.S:1200x60300000119f is located 9 bytes to the right of 22-byte region [0x603000001180,0x603000001196)
allocated by thread T0 here:
    #0 0x497d2d in __interceptor_malloc /home/abuild/rpmbuild/BUILD/llvm-10.0.0.src/build/../projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
    #1 0x7f2f61fdbc97 in allocateData(long long, unsigned int) /d/qt/5/kdab/qtbase-dev/src/corelib/tools/qarraydata.cpp:159:52
    #2 0x7f2f61fdb780 in QArrayData::allocate(QArrayData**, long long, long long, long long, QFlags<QArrayData::ArrayOption>) /d/qt/5/kdab/qtbase-dev/src/corelib/tools/qarraydata.cpp:193:26
    #3 0x7f2f622e2a23 in QTypedArrayData<char16_t>::allocate(long long, QFlags<QArrayData::ArrayOption>) /d/qt/5/kdab/qtbase-dev/build-asan/src/corelib/../../include/QtCore/../../../src/corelib/tools/qarraydata.h:216:24
    #4 0x7f2f622a3c38 in QString::fromLatin1_helper(char const*, long long) /d/qt/5/kdab/qtbase-dev/src/corelib/text/qstring.cpp:4987:25
    #5 0x7f2f61ee9320 in QString::QString(QLatin1String) /d/qt/5/kdab/qtbase-dev/build-asan/src/corelib/../../include/QtCore/../../../src/corelib/text/qstring.h:992:52
    #6 0x7f2f62db0cd0 in QXmlStreamReaderPrivate::Entity::createLiteral(QLatin1String, QLatin1String) /d/qt/5/kdab/qtbase-dev/src/corelib/serialization/qxmlstream_p.h:235:29
    #7 0x7f2f62d915ff in QXmlStreamReaderPrivate::QXmlStreamReaderPrivate(QXmlStreamReader*) /d/qt/5/kdab/qtbase-dev/src/corelib/serialization/qxmlstream.cpp:813:5
    #8 0x7f2f62d8c1e7 in QXmlStreamReader::QXmlStreamReader() /d/qt/5/kdab/qtbase-dev/src/corelib/serialization/qxmlstream.cpp:401:17
    #9 0x4d6f2d in VkSpecParser::VkSpecParser() /d/qt/5/kdab/qtbase-dev/src/tools/qvkgen/qvkgen.cpp:35:7
    #10 0x4d2672 in main /d/qt/5/kdab/qtbase-dev/src/tools/qvkgen/qvkgen.cpp:492:18
    #11 0x7f2f60d9bf89 in __libc_start_main (/lib64/libc.so.6+0x20f89)SUMMARY: AddressSanitizer: heap-buffer-overflow /d/qt/5/kdab/qtbase-dev/src/corelib/tools/qhash.cpp:491:20 in aeshash(unsigned char const*, unsigned long, unsigned long)
Shadow bytes around the buggy address:
  0x0c067fff81e0: fa fa 00 00 00 04 fa fa fd fd fd fd fa fa fd fd
  0x0c067fff81f0: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x0c067fff8200: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c067fff8210: fa fa fd fd fd fd fa fa 00 00 00 00 fa fa fd fd
  0x0c067fff8220: fd fd fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
=>0x0c067fff8230: 00 00 06[fa]fa fa 00 00 04 fa fa fa fa fa fa fa
  0x0c067fff8240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==11117==ABORTING

      Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          People

            thiago Thiago Macieira
            dfaure_kdab David Faure
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:

              Gerrit Reviews

                There are no open Gerrit changes