Subject: libqtcore4: use after free in src/corelib/tools/qlocale_unix.cpp
Package: libqtcore4
Version: 4:4.8.2-1
Severity: normal
Tags: patch
Valgrind complains about a use after free in the QSystemLocale code:
==15546== Invalid read of size 1
==15546== at 0xCEA4A76: QByteArray::QByteArray(char const*) (in
/usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.2)
==15546== by 0xCEF924E: QSystemLocale::query(QSystemLocale::QueryType,
QVariant) const (in /usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.2)
==15546== by 0xCEC24D8: QLocalePrivate::updateSystemPrivate() (in
/usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.2)
==15546== by 0xCEC2E3A: systemPrivate() (in
/usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.2)
==15546== by 0xCEC2E68: defaultPrivate() (in
/usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.2)
==15546== by 0xCEC2F99: QLocale::QLocale() (in
/usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.2)
==15546== by 0xCF4B139: QResourceFileEngine::QResourceFileEngine(QString
const&) (in /usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.2)
==15546== by 0xCF730FF:
_q_resolveEntryAndCreateLegacyEngine_recursive(QFileSystemEntry&,
QFileSystemMetaData&, QAbstractFileEngine*&, bool) (in
/usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.2)
==15546== by 0xCF7335D:
QFileSystemEngine::resolveEntryAndCreateLegacyEngine(QFileSystemEntry&,
QFileSystemMetaData&) (in /usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.2)
==15546== by 0xCF2EC11: QFileInfo::QFileInfo(QString const&) (in
/usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.2)
==15546== by 0xCF2A551: QFile::exists(QString const&) (in
/usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.2)
==15546== by 0xCE99FD2: QLibraryInfoPrivate::findConfiguration() (in
/usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.2)
==15546== Address 0x2a301798 is 24 bytes inside a block of size 37 free'd
==15546== at 0x4C27D4E: free (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==15546== by 0xCEF8F9E: getSystemLocale() (in
/usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.2)
==15546== by 0xCEF9236: QSystemLocale::query(QSystemLocale::QueryType,
QVariant) const (in /usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.2)
==15546== by 0xCEC24D8: QLocalePrivate::updateSystemPrivate() (in
/usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.2)
==15546== by 0xCEC2E3A: systemPrivate() (in
/usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.2)
==15546== by 0xCEC2E68: defaultPrivate() (in
/usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.2)
==15546== by 0xCEC2F99: QLocale::QLocale() (in
/usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.2)
==15546== by 0xCF4B139: QResourceFileEngine::QResourceFileEngine(QString
const&) (in /usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.2)
==15546== by 0xCF730FF:
_q_resolveEntryAndCreateLegacyEngine_recursive(QFileSystemEntry&,
QFileSystemMetaData&, QAbstractFileEngine*&, bool) (in
/usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.2)
==15546== by 0xCF7335D:
QFileSystemEngine::resolveEntryAndCreateLegacyEngine(QFileSystemEntry&,
QFileSystemMetaData&) (in /usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.2)
==15546== by 0xCF2EC11: QFileInfo::QFileInfo(QString const&) (in
/usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.2)
==15546== by 0xCF2A551: QFile::exists(QString const&) (in
/usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.2)
indeed disassembling getSystemLocale() shows a call to qFree(), from the
QByteArray destructor, apparently because it returns const char *
instead of QByteArray. Changing the return type as below makes the use
after free disappear.
--- qt4-x11-4.8.2.orig/src/corelib/tools/qlocale_unix.cpp
+++ qt4-x11-4.8.2/src/corelib/tools/qlocale_unix.cpp
@@ -52,7 +52,7 @@
QT_BEGIN_NAMESPACE
-static const char *getSystemLocale()
+static QByteArray getSystemLocale()
{
#if defined(Q_OS_QNX)
static char buff[257];
Cheers,
Julien
--
Julien Cristau <julien.cris...@logilab.fr>
Logilab http://www.logilab.fr/
Informatique scientifique & gestion de connaissances
--
To UNSUBSCRIBE, email to debian-qt-kde-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120713140319.gb13...@crater1.logilab.fr
