Details
-
Bug
-
Resolution: Fixed
-
P1: Critical
-
5.15.3
-
None
-
c1c07cb43 (dev), 6f6cba7fd (6.6), 237d6e615 (6.5)
Description
Hello Qt3D team,
Some of our customers are having a crash when loading .obj files with Qt3d. It is very hard to reproduce, here is what the stack looks like:
Thread 21 Crashed:: Thread (pooled) 0 libdefaultgeometryloader.dylib 1 libdefaultgeometryloader.dylib 2 libdefaultgeometryloader.dylib 3 org.qt-project.Qt3DRender 4 org.qt-project.Qt3DRender Qt3DRender::Render::GeometryRenderer::executeFunctor() + 231 5 org.qt-project.Qt3DRender Qt3DRender::Render::LoadGeometryJob::run() + 63 6 org.qt-project.Qt3DCore 7 org.qt-project.QtCore 8 org.qt-project.QtCore 9 libsystem_pthread.dylib _pthread_start + 224 10 libsystem_pthread.dylib thread_start + 15
I think I narrowed down the issue to these lines of code in qt3d/src/plugins/geometryloaders/default/objgeometryloader.cpp:101-109:
if (lineSize > 0 && line[0] != '#') {
if (line[lineSize - 1] == '\n')
--lineSize; // chop newline
if (line[lineSize - 1] == '\r')
--lineSize; // chop newline also for CRLF format
while (line[lineSize - 1] == ' ' || line[lineSize - 1] == '\t')
--lineSize; // chop trailing spaces
const ByteArraySplitter tokens(line, line + lineSize, ' ', Qt::SkipEmptyParts);
When having an empty line, it's just one character: \n. lineSize will be 1, then 0 after the "chop newline"; then the while loop will check the value of line[-1] .
If you're really unlucky, line[-1] is ' ' or \t. lineSize will become -1 and ByteArraySplitter tokens(line, line -1) will crash.
Qt version: 5.15.3, issue reproduced on macos 10.15 (but other OSes and Qt versions should be impacted too)