Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-95237

[REG 6.0.4 -> 6.1.0] Integer-overflow in QFixed::operator+= through QImage::loadFromData(QByteArray)

    XMLWordPrintable

Details

    • dad0d6084 (dev), 232a90dce (6.6), f381dbee1 (6.5)

    Description

      1. Configure Qt with "-sanitize fuzzer-no-link -sanitize undefined" and build it.
        Having submodules qtbase and qtsvg is sufficient.
      2. Use this to build the project qtbase/tests/libfuzzer/gui/image/qimage/loadfromdata.
        qmake- and cmake-based version lead to the same result.
      3. Run the resulting program passing the attached input file:
        ./loadfromdata 36218.svg
        

        You'll get output containing lines like:

        /home/qtrob/dev/src/qt-dev_07.13-base_svg/qtbase/src/gui/painting/qpaintengine_raster.cpp:538:40: runtime error: -1,84467e+19 is outside the range of representable values of type 'int'
        SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/qtrob/dev/src/qt-dev_07.13-base_svg/qtbase/src/gui/painting/qpaintengine_raster.cpp:538:40 in 
        qtbase/include/QtGui/6.2.0/QtGui/private/../../../../../../../../src/qt-dev_07.13-base_svg/qtbase/src/gui/painting/qfixed_p.h:90:58: runtime error: signed integer overflow: 2147169024 + 655424 cannot be represented in type 'int'
        SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior qtbase/include/QtGui/6.2.0/QtGui/private/../../../../../../../../src/qt-dev_07.13-base_svg/qtbase/src/gui/painting/qfixed_p.h:90:58 in
        

      Found by oss-fuzz as issue 36218. Google will publish the details in 89 days.

      Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          People

            esabraha Eskil Abrahamsen Blomfeldt
            rlohning Robert Löhning
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: