Details
-
Bug
-
Resolution: Fixed
-
P2: Important
-
6.1.0, 6.3.0
-
Ubuntu 20.04 LTS
clang 10.0.0
-
dad0d6084 (dev), 232a90dce (6.6), f381dbee1 (6.5)
Description
- Configure Qt with "-sanitize fuzzer-no-link -sanitize undefined" and build it.
Having submodules qtbase and qtsvg is sufficient. - Use this to build the project qtbase/tests/libfuzzer/gui/image/qimage/loadfromdata.
qmake- and cmake-based version lead to the same result. - Run the resulting program passing the attached input file:
./loadfromdata 36218.svg
You'll get output containing lines like:
/home/qtrob/dev/src/qt-dev_07.13-base_svg/qtbase/src/gui/painting/qpaintengine_raster.cpp:538:40: runtime error: -1,84467e+19 is outside the range of representable values of type 'int' SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/qtrob/dev/src/qt-dev_07.13-base_svg/qtbase/src/gui/painting/qpaintengine_raster.cpp:538:40 in qtbase/include/QtGui/6.2.0/QtGui/private/../../../../../../../../src/qt-dev_07.13-base_svg/qtbase/src/gui/painting/qfixed_p.h:90:58: runtime error: signed integer overflow: 2147169024 + 655424 cannot be represented in type 'int' SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior qtbase/include/QtGui/6.2.0/QtGui/private/../../../../../../../../src/qt-dev_07.13-base_svg/qtbase/src/gui/painting/qfixed_p.h:90:58 in
Found by oss-fuzz as issue 36218. Google will publish the details in 89 days.
Attachments
For Gerrit Dashboard: QTBUG-95237 | ||||||
---|---|---|---|---|---|---|
# | Subject | Branch | Project | Status | CR | V |
369991,4 | Remove unused internal flag from raster painting engine | dev | qt/qtbase | Status: MERGED | +2 | 0 |
387929,2 | Remove unused internal flag from raster painting engine | 6.3 | qt/qtbase | Status: MERGED | +2 | 0 |
387930,2 | Remove unused internal flag from raster painting engine | 6.2 | qt/qtbase | Status: MERGED | +2 | 0 |
387931,2 | Remove unused internal flag from raster painting engine | tqtc/lts-5.15 | qt/tqtc-qtbase | Status: MERGED | +2 | 0 |
476615,3 | Fix specific overflow in qtextengine | dev | qt/qtbase | Status: ABANDONED | +1 | 0 |
483651,7 | Sanity check against too large text elements | dev | qt/qtsvg | Status: MERGED | +2 | 0 |
487044,3 | Sanity check against too large text elements | 6.5 | qt/qtsvg | Status: MERGED | +2 | 0 |
487045,2 | Sanity check against too large text elements | 6.6 | qt/qtsvg | Status: MERGED | +2 | 0 |
487053,1 | Sanity check against too large text elements | tqtc/lts-6.2 | qt/tqtc-qtsvg | Status: ABANDONED | 0 | 0 |
487054,1 | Sanity check against too large text elements | tqtc/lts-5.15 | qt/tqtc-qtsvg | Status: ABANDONED | 0 | 0 |