Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-109781

QXmlStreamReader asserts trying to construct StringRef of negative len on external input

    XMLWordPrintable

Details

    • Bug
    • Resolution: Unresolved
    • P1: Critical
    • None
    • 6.2.0, 6.4.1, 6.6
    • Core: Serialization
    • Manjaro Linux
      clang 14.0.6
      g++ 12.2.0

    Description

      1. Build the attached project with a developer build of Qt: 
        qt-cmake -S /tmp/report/ && cmake --build . --parallel
      2. Run the resulting program and pass the attached xml file: 
        ./report 54551.xml

        It crashes with a failed assert:

        ASSERT: "len >= 0" in file /home/qtrob/dev/g++-12.2.0/qt-6.4.1-nowebengine-devbld/qtbase/include/QtCore/../../../../../src/qt-6.4.1/qtbase/src/corelib/text/qstringview.h, line 146
Aborted (core dumped)

      gdb give me this backtrace:

      #0  0x00007ffff70a164c in ?? () from /usr/lib/libc.so.6
#1  0x00007ffff7051958 in raise () from /usr/lib/libc.so.6
#2  0x00007ffff703b53d in abort () from /usr/lib/libc.so.6
#3  0x00007ffff76c3c32 in qAbort ()
    at /home/qtrob/dev/src/qt-6.4.1/qtbase/src/corelib/global/qglobal.cpp:3369
#4  0x00007ffff76d49be in qt_message_fatal (context=..., message=...)
    at /home/qtrob/dev/src/qt-6.4.1/qtbase/src/corelib/global/qlogging.cpp:1916
#5  0x00007ffff76d0e82 in QMessageLogger::fatal (this=0x7fffffffda70, 
    msg=0x7ffff7bb5ea8 "ASSERT: \"%s\" in file %s, line %d")
    at /home/qtrob/dev/src/qt-6.4.1/qtbase/src/corelib/global/qlogging.cpp:850
#6  0x00007ffff76c3a66 in qt_assert (assertion=0x7ffff7bb245a "len >= 0", 
    file=0x7ffff7bb2470 "/home/qtrob/dev/g++-12.2.0/qt-6.4.1-nowebengine-devbld/qtbase/include/QtCore/../../../../../src/qt-6.4.1/qtbase/src/corelib/text/qstringview.h", line=146)
    at /home/qtrob/dev/src/qt-6.4.1/qtbase/src/corelib/global/qglobal.cpp:3276
#7  0x00007ffff76bed13 in QStringView::QStringView<QChar, true> (
    this=0x7fffffffdaf0, str=0x55555558375e, len=-2325)
    at /home/qtrob/dev/src/qt-6.4.1/qtbase/src/corelib/text/qstringview.h:146
#8  0x00007ffff7895566 in QtPrivate::XmlStringRef::view (this=0x7fffffffdd20)
    at /home/qtrob/dev/src/qt-6.4.1/qtbase/src/corelib/serialization/qxmlstream_p.h:60
#9  0x00007ffff78954d6 in QtPrivate::XmlStringRef::operator QStringView (
    this=0x7fffffffdd20)
--Type <RET> for more, q to quit, c to continue without paging--c
   alization/qxmlstream_p.h:57
#10 0x00007ffff78883e1 in QXmlStreamReaderPrivate::parse (this=0x555555559ff0) at /home/qtrob/dev/src/qt-6.4.1/qtbase/src/corelib/serialization/qxmlstreamparser_p.h:789
#11 0x00007ffff788a83f in QXmlStreamReader::readNext (this=0x7fffffffde58) at /home/qtrob/dev/src/qt-6.4.1/qtbase/src/corelib/serialization/qxmlstream.cpp:561
#12 0x00005555555552ec in main ()

      Google's oss-fuzz found this as issue 54551. They will publish their report on March 24th, the latest.

      Attachments

        1. 54551.xml
          8 kB
          Robert Löhning
        2. CMakeLists.txt
          0.3 kB
          Robert Löhning
        3. main.cpp
          0.3 kB
          Robert Löhning

        Activity

          People

            thiago Thiago Macieira
            rlohning Robert Löhning
            Vladimir Minenko Vladimir Minenko
            Alex Blasche Alex Blasche
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated: