Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-88656

Undefined behavior in QDateTime::fromString

    XMLWordPrintable

Details

    • 380d97e1bd15e753907c378a070bdf7f1c1cf06e (qt/qtbase/dev) a754477b734661bc0850fb36b3fc4b55445ff2c2 (qt/qtbase/6.0) d2c0fc2b5f1c07c1e0acb1c0127578066b6f9b8e (qt/qtbase/5.15)

    Description

      1. Build your fuzz target for QDateTime with "-sanitize undefined".
      2. Let it run on the attached input file.
        ./fromstring input
        

        It will report undefined behavior:

        /src/qt/qtbase/src/corelib/time/qtimezoneprivate_tz.cpp:427:30: runtime error: signed integer overflow: 72000000 * 60 cannot be represented in type 'int'
            #0 0x51a894 in parsePosixTime(char const*, char const*) /src/qt/qtbase/src/corelib/time/qtimezoneprivate_tz.cpp:427:30
            #1 0x51a4d4 in parsePosixOffset(char const*, char const*) /src/qt/qtbase/src/corelib/time/qtimezoneprivate_tz.cpp:453:17
            #2 0x5108e6 in (anonymous namespace)::PosixZone::parse(char const*&, char const*) /src/qt/qtbase/src/corelib/time/qtimezoneprivate_tz.cpp:525:46
            #3 0x50f295 in QTzTimeZoneCache::findEntry(QByteArray const&) /src/qt/qtbase/src/corelib/time/qtimezoneprivate_tz.cpp:685:21
            #4 0x5135b4 in QTzTimeZoneCache::fetchEntry(QByteArray const&) /src/qt/qtbase/src/corelib/time/qtimezoneprivate_tz.cpp:850:33
            #5 0x50e24e in QTzTimeZonePrivate::init(QByteArray const&) /src/qt/qtbase/src/corelib/time/qtimezoneprivate_tz.cpp:858:33
            #6 0x50eac4 in QTzTimeZonePrivate::QTzTimeZonePrivate(QByteArray const&) /src/qt/qtbase/src/corelib/time/qtimezoneprivate_tz.cpp:644:5
            #7 0x4fb881 in newBackendTimeZone(QByteArray const&) /src/qt/qtbase/src/corelib/time/qtimezone.cpp:95:16
            #8 0x4fb45e in QTimeZone::QTimeZone(QByteArray const&) /src/qt/qtbase/src/corelib/time/qtimezone.cpp:343:55
            #9 0x5360cb in QDateTimeParser::findTimeZoneName(QStringRef, QDateTime const&) const /src/qt/qtbase/src/corelib/time/qdatetimeparser.cpp:1742:19
            #10 0x52c739 in QDateTimeParser::findTimeZone(QStringRef, QDateTime const&, int, int) const /src/qt/qtbase/src/corelib/time/qdatetimeparser.cpp:1764:19
            #11 0x52a275 in QDateTimeParser::parseSection(QDateTime const&, int, int, QString*) const /src/qt/qtbase/src/corelib/time/qdatetimeparser.cpp:796:18
            #12 0x52e865 in QDateTimeParser::scanString(QDateTime const&, bool, QString*) const /src/qt/qtbase/src/corelib/time/qdatetimeparser.cpp:1178:20
            #13 0x53350b in QDateTimeParser::parse(QString, int, QDateTime const&, bool) const /src/qt/qtbase/src/corelib/time/qdatetimeparser.cpp:1420:22
            #14 0x537c08 in QDateTimeParser::fromString(QString const&, QDateTime*) const /src/qt/qtbase/src/corelib/time/qdatetimeparser.cpp:2129:27
            #15 0x4ea1b8 in QDateTime::fromString(QString const&, QString const&, QCalendar) /src/qt/qtbase/src/corelib/time/qdatetime.cpp:5560:38
            #16 0x4ea31d in QDateTime::fromString(QString const&, QString const&) /src/qt/qtbase/src/corelib/time/qdatetime.cpp:5576:12
            #17 0x493b4e in LLVMFuzzerTestOneInput /src/qt/qtbase/tests/libfuzzer/corelib/time/qdatetime/fromstring/main.cpp:97:9
            #18 0x444511 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15
            #19 0x42e542 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:323:6
            #20 0x434885 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:856:9
            #21 0x45d902 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
            #22 0x7ff39982183f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
            #23 0x409938 in _start (/out/qtbase_corelib_time_qdatetime_fromstring+0x409938)
        

      Attachments

        1. input
          0.0 kB
          Robert Löhning
        2. minimized
          0.0 kB
          Robert Löhning

        Activity

          People

            Eddy Edward Welbourne
            rlohning Robert Löhning
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: