Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-109781

QXmlStreamReader asserts trying to construct StringRef of negative len on external input

    XMLWordPrintable

Details

    • Bug
    • Resolution: Unresolved
    • P1: Critical
    • None
    • 6.2.0, 6.4.1, 6.6
    • Core: Serialization
    • Manjaro Linux
      clang 14.0.6
      g++ 12.2.0

    Description

      1. Build the attached project with a developer build of Qt: 
        qt-cmake -S /tmp/report/ && cmake --build . --parallel
      2. Run the resulting program and pass the attached xml file: 
        ./report 54551.xml

        It crashes with a failed assert:

        ASSERT: "len >= 0" in file /home/qtrob/dev/g++-12.2.0/qt-6.4.1-nowebengine-devbld/qtbase/include/QtCore/../../../../../src/qt-6.4.1/qtbase/src/corelib/text/qstringview.h, line 146
Aborted (core dumped)

      gdb give me this backtrace:

      #0  0x00007ffff70a164c in ?? () from /usr/lib/libc.so.6
#1  0x00007ffff7051958 in raise () from /usr/lib/libc.so.6
#2  0x00007ffff703b53d in abort () from /usr/lib/libc.so.6
#3  0x00007ffff76c3c32 in qAbort ()
    at /home/qtrob/dev/src/qt-6.4.1/qtbase/src/corelib/global/qglobal.cpp:3369
#4  0x00007ffff76d49be in qt_message_fatal (context=..., message=...)
    at /home/qtrob/dev/src/qt-6.4.1/qtbase/src/corelib/global/qlogging.cpp:1916
#5  0x00007ffff76d0e82 in QMessageLogger::fatal (this=0x7fffffffda70, 
    msg=0x7ffff7bb5ea8 "ASSERT: \"%s\" in file %s, line %d")
    at /home/qtrob/dev/src/qt-6.4.1/qtbase/src/corelib/global/qlogging.cpp:850
#6  0x00007ffff76c3a66 in qt_assert (assertion=0x7ffff7bb245a "len >= 0", 
    file=0x7ffff7bb2470 "/home/qtrob/dev/g++-12.2.0/qt-6.4.1-nowebengine-devbld/qtbase/include/QtCore/../../../../../src/qt-6.4.1/qtbase/src/corelib/text/qstringview.h", line=146)
    at /home/qtrob/dev/src/qt-6.4.1/qtbase/src/corelib/global/qglobal.cpp:3276
#7  0x00007ffff76bed13 in QStringView::QStringView<QChar, true> (
    this=0x7fffffffdaf0, str=0x55555558375e, len=-2325)
    at /home/qtrob/dev/src/qt-6.4.1/qtbase/src/corelib/text/qstringview.h:146
#8  0x00007ffff7895566 in QtPrivate::XmlStringRef::view (this=0x7fffffffdd20)
    at /home/qtrob/dev/src/qt-6.4.1/qtbase/src/corelib/serialization/qxmlstream_p.h:60
#9  0x00007ffff78954d6 in QtPrivate::XmlStringRef::operator QStringView (
    this=0x7fffffffdd20)
--Type <RET> for more, q to quit, c to continue without paging--c
   alization/qxmlstream_p.h:57
#10 0x00007ffff78883e1 in QXmlStreamReaderPrivate::parse (this=0x555555559ff0) at /home/qtrob/dev/src/qt-6.4.1/qtbase/src/corelib/serialization/qxmlstreamparser_p.h:789
#11 0x00007ffff788a83f in QXmlStreamReader::readNext (this=0x7fffffffde58) at /home/qtrob/dev/src/qt-6.4.1/qtbase/src/corelib/serialization/qxmlstream.cpp:561
#12 0x00005555555552ec in main ()

      Google's oss-fuzz found this as issue 54551. They will publish their report on March 24th, the latest.

      Attachments

        1. CMakeLists.txt
          0.3 kB
        2. main.cpp
          0.3 kB
        3. 54551.xml
          8 kB

        Activity

          People

            thiago Thiago Macieira
            rlohning Robert Löhning
            Vladimir Minenko Vladimir Minenko
            Alex Blasche Alex Blasche
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated: