Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-8531

Crash in qUncompress when Z_BUF_ERROR occurs in zlib.

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • P2: Important
    • 4.6.2
    • 4.6.0
    • Core: I/O
    • None
    • Windows XP
    • 29423dcc76970253fd5bca43d0abba4876b85b85

    Description

      Use some data to decompress where the expected size (read from the first 4 bytes of the array) is smaller than the real size of the decompressed array.
      The application stops with corruption of the heap memory.

      I assume the problem lies in qbytearray.cpp in line 543:
      d.reset(q_check_ptr(static_cast<QByteArray::Data *>(qRealloc(d.data(), sizeof(QByteArray::Data) + alloc))));

      The realloc sometimes move the memory pointer. When this happen the q_check_ptr tries to free the memory at the previous pointer.
      That does not work because it is not necessary to free the memory here.

      This is reproducible when Z_BUF_ERROR (line 573) occurs and as a result of that the line 543 is called twice or more times.

      Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          People

            goffart Olivier Goffart (closed Nokia identity) (Inactive)
            clehnert Christian Lehner
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes