ERROR: AddressSanitizer: heap-buffer-overflow: load_cursor.c
When building a Qt 6.6.0 Beta 1 example program (calculatorform.pro) using fsanitize and running on a Linux Mint VM:
System:
Kernel: 5.15.0-76-generic x86_64 bits: 64 compiler: gcc v: 11.3.0 Desktop: Cinnamon 5.6.8
tk: GTK 3.24.33 wm: muffin dm: LightDM Distro: Linux Mint 21.1 Vera base: Ubuntu 22.04 jammy
Machine:
Type: Virtualbox System:I got a heap buffer overflow error reported.
As this did not say where the memory was allocated I built a copy of xcb-util-cursor-0.1.1 locally with fsanitize enabled using the following configure:
./configure CFLAGS="-O0 -g -fsanitize=address -fno-omit-frame-pointer" CPPFLAGS="-O0 -g -fsanitize=address -fno-omit-frame-pointer" LDFLAGS="-g -fsanitize=address"Then I received the following error from AddressSanitizer:
=================================================================
==18997==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6030001fe505 at pc 0x7f35c910d88c bp 0x7ffcbb1e8680 sp 0x7ffcbb1e8670
WRITE of size 1 at 0x6030001fe505 thread T0
#0 0x7f35c910d88b in _XcursorThemeInherits /home/peter/Develop/LINUX/BUILDS0/xcb-util-cursor-0.1.1/cursor/load_cursor.c:107
#1 0x7f35c910df30 in open_cursor_file /home/peter/Develop/LINUX/BUILDS0/xcb-util-cursor-0.1.1/cursor/load_cursor.c:165
#2 0x7f35c910e36c in xcb_cursor_load_cursor /home/peter/Develop/LINUX/BUILDS0/xcb-util-cursor-0.1.1/cursor/load_cursor.c:204
#3 0x7f35c918b5d8 in QXcbCursor::createFontCursor(int) /home/qt/work/qt/qtbase/src/plugins/platforms/xcb/qxcbcursor.cpp:493
#4 0x7f35c918bd32 in QXcbCursor::changeCursor(QCursor*, QWindow*) /home/qt/work/qt/qtbase/src/plugins/platforms/xcb/qxcbcursor.cpp:327
#5 0x7f35c918bd32 in QXcbCursor::changeCursor(QCursor*, QWindow*) /home/qt/work/qt/qtbase/src/plugins/platforms/xcb/qxcbcursor.cpp:306
#6 0x7f35cf94f6cc in QWindowPrivate::applyCursor() /home/qt/work/qt/qtbase/src/gui/kernel/qwindow.cpp:3035
#7 0x7f35cf953ef6 in QWindowPrivate::setCursor(QCursor const*) /home/qt/work/qt/qtbase/src/gui/kernel/qwindow.cpp:3016
#8 0x7f35d02be070 in applyCursor /home/qt/work/qt/qtbase/src/widgets/kernel/qwidget.cpp:5012
#9 0x7f35d02be070 in qt_qpa_set_cursor(QWidget*, bool) /home/qt/work/qt/qtbase/src/widgets/kernel/qwidget.cpp:5050
#10 0x7f35d02c77c1 in qt_qpa_set_cursor(QWidget*, bool) /home/qt/work/qt/qtbase/src/widgets/kernel/qwidget.cpp:5023
#11 0x7f35d02c77c1 in QWidgetPrivate::show_sys() /home/qt/work/qt/qtbase/src/widgets/kernel/qwidget.cpp:8177
#12 0x7f35d02cfbea in QWidgetPrivate::show_helper() /home/qt/work/qt/qtbase/src/widgets/kernel/qwidget.cpp:8103
#13 0x7f35d02d2542 in QWidgetPrivate::setVisible(bool) /home/qt/work/qt/qtbase/src/widgets/kernel/qwidget.cpp:8399
#14 0x559c33290462 in main ../calculatorform/main.cpp:12
#15 0x7f35ceac7d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#16 0x7f35ceac7e3f in __libc_start_main_impl ../csu/libc-start.c:392
#17 0x559c332878e4 in _start (/home/peter/QtCom/Examples/Qt-6.5.1/designer/build-calculatorform-Desktop_Qt_6_6_0_GCC_64bit-Debug/calculatorform+0x58e4)
0x6030001fe505 is located 0 bytes to the right of 21-byte region [0x6030001fe4f0,0x6030001fe505)
allocated by thread T0 here:
#0 0x7f35d08e4867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x7f35c910d5ae in _XcursorThemeInherits /home/peter/Develop/LINUX/BUILDS0/xcb-util-cursor-0.1.1/cursor/load_cursor.c:92
#2 0x7f35c910df30 in open_cursor_file /home/peter/Develop/LINUX/BUILDS0/xcb-util-cursor-0.1.1/cursor/load_cursor.c:165
#3 0x7f35c910e36c in xcb_cursor_load_cursor /home/peter/Develop/LINUX/BUILDS0/xcb-util-cursor-0.1.1/cursor/load_cursor.c:204
#4 0x7f35c918b5d8 in QXcbCursor::createFontCursor(int) /home/qt/work/qt/qtbase/src/plugins/platforms/xcb/qxcbcursor.cpp:493
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/peter/Develop/LINUX/BUILDS0/xcb-util-cursor-0.1.1/cursor/load_cursor.c:107 in _XcursorThemeInherits
Shadow bytes around the buggy address:
0x0c0680037c50: fd fd fd fa fa fa 00 00 04 fa fa fa fd fd fd fa
0x0c0680037c60: fa fa 00 00 04 fa fa fa 00 00 04 fa fa fa fd fd
0x0c0680037c70: fd fa fa fa fd fd fd fa fa fa 00 00 00 fa fa fa
0x0c0680037c80: 00 00 00 00 fa fa 00 00 00 fa fa fa 00 00 00 fa
0x0c0680037c90: fa fa fd fd fd fd fa fa 00 00 00 01 fa fa 00 00
=>0x0c0680037ca0:[05]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0680037cb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0680037cc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0680037cd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0680037ce0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0680037cf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==18997==ABORTINGLooking at the source code for the buffer overflow memory allocation and how it is used it seems that in the following line:
result = malloc (strlen (l));Not enough memory is allocated and the size of the memory allocated should be: strlen(l) + 1.
Hence causing the memory buffer overflow at: load_cursor.c:107
The function that is being called:
static char *
_XcursorThemeInherits (const char *full)points to a file: "/usr/share/icons/default/index.theme"
And the content of that file on my machine is:
[Icon Theme]
Name=Bibata-Modern-Classic
Inherits=Bibata-Modern-ClassicI hope this helps you confirm and fix the issue. NB: Looking at your latest source code under git (git://anongit.freedesktop.org/git/xcb/util-cursor) the error line in question seems to be still there.
Regards
Peter