Bug#681476: libqtcore4: use after free in src/corelib/tools/qlocale_unix.cpp
Subject: libqtcore4: use after free in src/corelib/tools/qlocale_unix.cpp
Package: libqtcore4
Version: 4:4.8.2-1
Severity: normal
Tags: patch
Valgrind complains about a use after free in the QSystemLocale code:
==15546== Invalid read of size 1
==15546== at 0xCEA4A76: QByteArray::QByteArray(char const*) (in /usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.2)
==15546== by 0xCEF924E: QSystemLocale::query(QSystemLocale::QueryType, QVariant) const (in /usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.2)
==15546== by 0xCEC24D8: QLocalePrivate::updateSystemPrivate() (in /usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.2)
==15546== by 0xCEC2E3A: systemPrivate() (in /usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.2)
==15546== by 0xCEC2E68: defaultPrivate() (in /usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.2)
==15546== by 0xCEC2F99: QLocale::QLocale() (in /usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.2)
==15546== by 0xCF4B139: QResourceFileEngine::QResourceFileEngine(QString const&) (in /usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.2)
==15546== by 0xCF730FF: _q_resolveEntryAndCreateLegacyEngine_recursive(QFileSystemEntry&, QFileSystemMetaData&, QAbstractFileEngine*&, bool) (in /usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.2)
==15546== by 0xCF7335D: QFileSystemEngine::resolveEntryAndCreateLegacyEngine(QFileSystemEntry&, QFileSystemMetaData&) (in /usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.2)
==15546== by 0xCF2EC11: QFileInfo::QFileInfo(QString const&) (in /usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.2)
==15546== by 0xCF2A551: QFile::exists(QString const&) (in /usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.2)
==15546== by 0xCE99FD2: QLibraryInfoPrivate::findConfiguration() (in /usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.2)
==15546== Address 0x2a301798 is 24 bytes inside a block of size 37 free'd
==15546== at 0x4C27D4E: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==15546== by 0xCEF8F9E: getSystemLocale() (in /usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.2)
==15546== by 0xCEF9236: QSystemLocale::query(QSystemLocale::QueryType, QVariant) const (in /usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.2)
==15546== by 0xCEC24D8: QLocalePrivate::updateSystemPrivate() (in /usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.2)
==15546== by 0xCEC2E3A: systemPrivate() (in /usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.2)
==15546== by 0xCEC2E68: defaultPrivate() (in /usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.2)
==15546== by 0xCEC2F99: QLocale::QLocale() (in /usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.2)
==15546== by 0xCF4B139: QResourceFileEngine::QResourceFileEngine(QString const&) (in /usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.2)
==15546== by 0xCF730FF: _q_resolveEntryAndCreateLegacyEngine_recursive(QFileSystemEntry&, QFileSystemMetaData&, QAbstractFileEngine*&, bool) (in /usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.2)
==15546== by 0xCF7335D: QFileSystemEngine::resolveEntryAndCreateLegacyEngine(QFileSystemEntry&, QFileSystemMetaData&) (in /usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.2)
==15546== by 0xCF2EC11: QFileInfo::QFileInfo(QString const&) (in /usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.2)
==15546== by 0xCF2A551: QFile::exists(QString const&) (in /usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.2)
indeed disassembling getSystemLocale() shows a call to qFree(), from the
QByteArray destructor, apparently because it returns const char *
instead of QByteArray. Changing the return type as below makes the use
after free disappear.
--- qt4-x11-4.8.2.orig/src/corelib/tools/qlocale_unix.cpp
+++ qt4-x11-4.8.2/src/corelib/tools/qlocale_unix.cpp
@@ -52,7 +52,7 @@
QT_BEGIN_NAMESPACE
-static const char *getSystemLocale()
+static QByteArray getSystemLocale()
{
#if defined(Q_OS_QNX)
static char buff[257];
Cheers,
Julien
--
Julien Cristau <julien.cristau@logilab.fr>
Logilab http://www.logilab.fr/
Informatique scientifique & gestion de connaissances
Reply to: