Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-88256

[REG 5.15 -> 6.0] QCborValue::fromCbor allocates 2 GiB for 8 B input

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • P1: Critical
    • 6.0.1, 6.1.0 Alpha
    • 6.0.0 Beta4
    • Core: I/O
    • Ubuntu 20.04 LTS 64 bit
      clang 10.0.0
      Built with qmake
    • 638171eb10cfb186a6c47ec052a3b0c5b6449386 (qt/qtbase/dev) c5623e5bb13824ef7d735e8d429278223b2887c1 (qt/qtbase/6.0)

    Description

      1. Build the attached project.
      2. Run it on the attached input: 
        ./report input.cbor
      3. Watch the value of "newSize" in line 1583 of qcborvalue.cpp: 
                data.resize(newSize);

        Use a breakpoint, a qDebug() or whatever you prefer.
        It will try resizing the QByteArray to 2147483639.

      Allocating 2 GiB of memory doesn't seem appropriate for 8 bytes of input.

      This is a regression from Qt 5.15. There, the function will return -1 before:

              if (newSize > MaxByteArraySize)
            return -1;

      Attachments

        1. cleansed.cbor
          0.0 kB
        2. input.cbor
          0.0 kB
        3. main.cpp
          0.2 kB
        4. report.pro
          0.1 kB

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. QTBUG-88253 [REG 5.15 -> 6.0] QCborStreamReader allocates 2 GiB for 8 B file

          • P1: Critical - Urgent and Important, will STOP the release if matched with set FixVersion field. This includes regressions from the last version that are not edge cases; Data loss; Build issues; All but the most unlikely crashes/lockups/hanging; Serious usability issues and embarrassing bugs & Bugs critical to a deliverable. This is the highest possible priority for requirements.
          • Closed
          For Gerrit Dashboard: QTBUG-88256
          # Subject Branch Project Status CR V
          320808,8 QCborValue: avoid allocating result if data is insufficient dev qt/qtbase Status: MERGED +2 0
          322052,3 QString/QByteArray: add missing Q_CHECK_PTR dev qt/qtbase Status: MERGED +2 0
          325668,2 QString/QByteArray: add missing Q_CHECK_PTR 6.0 qt/qtbase Status: MERGED +2 0
          325670,3 QCborValue: avoid allocating result if data is insufficient 5.15 qt/qtbase Status: ABANDONED 0 0
          325672,3 QCborValue: avoid allocating result if data is insufficient 6.0 qt/qtbase Status: MERGED +2 0
          326369,2 fuzzing: Add cbor files which ran out of memory dev qt/qtqa Status: MERGED +2 0
          326530,2 fuzzing: Add cbor files which ran out of memory master qt/qtqa Status: MERGED +2 0

          Activity

            People

              thiago Thiago Macieira
              rlohning Robert Löhning
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: