Fabian Vogt 2020-02-19 10:09:00 +00:00 committed by Git OBS Bridge
parent c6eb576eeb
commit 5fb396e9b0
3 changed files with 0 additions and 149 deletions

View File

@ -1,142 +0,0 @@
From 9dcf75766469dbe61c19389bae0413767360c234 Mon Sep 17 00:00:00 2001
From: Shawn Rutledge <shawn.rutledge@qt.io>
Date: Mon, 24 Feb 2020 16:23:27 +0100
Subject: [PATCH] QTextMarkdownImporter: fix use after free; add fuzz-generated
tests
It was possible to end up with a dangling pointer in m_listStack.
This is now avoided by using QPointer and doing nullptr checks before
accessing any QTextList pointer stored there.
We have 2 specimens of garbage that caused crashes before; now they don't.
But only fuzz20450 triggered the dangling pointer in the list stack.
The crash caused by fuzz20580 was fixed by updating md4c from upstream:
4b0fc030777cd541604f5ebaaad47a2b76d61ff9
Change-Id: I8e1eca23b281256a03aea0f55e9ae20f1bdd2a38
Reviewed-by: Robert Loehning <robert.loehning@qt.io>
---
src/gui/text/qtextmarkdownimporter.cpp | 7 ++++--
src/gui/text/qtextmarkdownimporter_p.h | 2 +-
.../qtextmarkdownimporter/data/fuzz20450.md | 5 ++++
.../qtextmarkdownimporter/data/fuzz20580.md | 1 +
.../qtextmarkdownimporter.pro | 2 ++
.../tst_qtextmarkdownimporter.cpp | 24 +++++++++++++++++++
6 files changed, 38 insertions(+), 3 deletions(-)
create mode 100644 tests/auto/gui/text/qtextmarkdownimporter/data/fuzz20450.md
create mode 100644 tests/auto/gui/text/qtextmarkdownimporter/data/fuzz20580.md
diff --git a/src/gui/text/qtextmarkdownimporter.cpp b/src/gui/text/qtextmarkdownimporter.cpp
index 88965046ce..ea62d5c2e5 100644
--- a/src/gui/text/qtextmarkdownimporter.cpp
+++ b/src/gui/text/qtextmarkdownimporter.cpp
@@ -575,7 +575,10 @@ void QTextMarkdownImporter::insertBlock()
QTextBlockFormat blockFormat;
if (!m_listStack.isEmpty() && !m_needsInsertList && m_listItem) {
QTextList *list = m_listStack.top();
- blockFormat = list->item(list->count() - 1).blockFormat();
+ if (list)
+ blockFormat = list->item(list->count() - 1).blockFormat();
+ else
+ qWarning() << "attempted to insert into a list that no longer exists";
}
if (m_blockQuoteDepth) {
blockFormat.setProperty(QTextFormat::BlockQuoteLevel, m_blockQuoteDepth);
@@ -605,7 +608,7 @@ void QTextMarkdownImporter::insertBlock()
}
if (m_needsInsertList) {
m_listStack.push(m_cursor->createList(m_listFormat));
- } else if (!m_listStack.isEmpty() && m_listItem) {
+ } else if (!m_listStack.isEmpty() && m_listItem && m_listStack.top()) {
m_listStack.top()->add(m_cursor->block());
}
m_needsInsertList = false;
diff --git a/src/gui/text/qtextmarkdownimporter_p.h b/src/gui/text/qtextmarkdownimporter_p.h
index f450da5eb3..e3b4bcd0f2 100644
--- a/src/gui/text/qtextmarkdownimporter_p.h
+++ b/src/gui/text/qtextmarkdownimporter_p.h
@@ -113,7 +113,7 @@ private:
#endif
QString m_blockCodeLanguage;
QVector<int> m_nonEmptyTableCells; // in the current row
- QStack<QTextList *> m_listStack;
+ QStack<QPointer<QTextList>> m_listStack;
QStack<QTextCharFormat> m_spanFormatStack;
QFont m_monoFont;
QPalette m_palette;
diff --git a/tests/auto/gui/text/qtextmarkdownimporter/data/fuzz20450.md b/tests/auto/gui/text/qtextmarkdownimporter/data/fuzz20450.md
new file mode 100644
index 0000000000..d7005cb01e
--- /dev/null
+++ b/tests/auto/gui/text/qtextmarkdownimporter/data/fuzz20450.md
@@ -0,0 +1,5 @@
+<t>ÿ
+* ÿ
+
+ ÿ
+* ÿ
\ No newline at end of file
diff --git a/tests/auto/gui/text/qtextmarkdownimporter/data/fuzz20580.md b/tests/auto/gui/text/qtextmarkdownimporter/data/fuzz20580.md
new file mode 100644
index 0000000000..22006f5876
--- /dev/null
+++ b/tests/auto/gui/text/qtextmarkdownimporter/data/fuzz20580.md
@@ -0,0 +1 @@
+| --:| <?`?><?|`
\ No newline at end of file
diff --git a/tests/auto/gui/text/qtextmarkdownimporter/qtextmarkdownimporter.pro b/tests/auto/gui/text/qtextmarkdownimporter/qtextmarkdownimporter.pro
index 7b7fb61244..f3818efbf7 100644
--- a/tests/auto/gui/text/qtextmarkdownimporter/qtextmarkdownimporter.pro
+++ b/tests/auto/gui/text/qtextmarkdownimporter/qtextmarkdownimporter.pro
@@ -5,5 +5,7 @@ SOURCES += tst_qtextmarkdownimporter.cpp
TESTDATA += \
data/thematicBreaks.md \
data/headingBulletsContinuations.md \
+ data/fuzz20450.md \
+ data/fuzz20580.md \
DEFINES += SRCDIR=\\\"$$PWD\\\"
diff --git a/tests/auto/gui/text/qtextmarkdownimporter/tst_qtextmarkdownimporter.cpp b/tests/auto/gui/text/qtextmarkdownimporter/tst_qtextmarkdownimporter.cpp
index 39a1370f6f..5eb04af696 100644
--- a/tests/auto/gui/text/qtextmarkdownimporter/tst_qtextmarkdownimporter.cpp
+++ b/tests/auto/gui/text/qtextmarkdownimporter/tst_qtextmarkdownimporter.cpp
@@ -57,6 +57,8 @@ private slots:
void lists();
void avoidBlankLineAtBeginning_data();
void avoidBlankLineAtBeginning();
+ void pathological_data();
+ void pathological();
};
void tst_QTextMarkdownImporter::headingBulletsContinuations()
@@ -256,5 +258,27 @@ void tst_QTextMarkdownImporter::avoidBlankLineAtBeginning() // QTBUG-81060
QCOMPARE(i, expectedNumberOfParagraphs);
}
+void tst_QTextMarkdownImporter::pathological_data()
+{
+ QTest::addColumn<QString>("warning");
+ QTest::newRow("fuzz20450") << "attempted to insert into a list that no longer exists";
+ QTest::newRow("fuzz20580") << "";
+}
+
+void tst_QTextMarkdownImporter::pathological() // avoid crashing on crazy input
+{
+ QFETCH(QString, warning);
+ QString filename = QLatin1String("data/") + QTest::currentDataTag() + QLatin1String(".md");
+ QFile f(QFINDTESTDATA(filename));
+ QVERIFY(f.open(QFile::ReadOnly));
+#ifdef QT_NO_DEBUG
+ Q_UNUSED(warning)
+#else
+ if (!warning.isEmpty())
+ QTest::ignoreMessage(QtWarningMsg, warning.toLatin1());
+#endif
+ QTextDocument().setMarkdown(f.readAll());
+}
+
QTEST_MAIN(tst_QTextMarkdownImporter)
#include "tst_qtextmarkdownimporter.moc"
--
2.25.1

View File

@ -1,9 +1,3 @@
-------------------------------------------------------------------
Mon Apr 27 12:45:07 UTC 2020 - Fabian Vogt <fabian@ritter-vogt.de>
- Add patch to fix use-after-free (boo#1170582, CVE-2020-12267):
* 0001-QTextMarkdownImporter-fix-use-after-free-add-fuzz-ge.patch
-------------------------------------------------------------------
Mon Jan 27 13:13:57 UTC 2020 - Fabian Vogt <fabian@ritter-vogt.de>

View File

@ -66,7 +66,6 @@ Patch22: 0002-Revert-qtlite-Fix-build-libs-with-no-feature-regular.patch
Patch23: 0003-Revert-White-list-more-recent-Mesa-version-for-multi.patch
Patch24: fix-fixqt4headers.patch
# patches 1000-2000 and above from upstream 5.14 branch #
Patch1000: 0001-QTextMarkdownImporter-fix-use-after-free-add-fuzz-ge.patch
# patches 2000-3000 and above from upstream 5.15/dev branch #
# Not accepted yet, https://codereview.qt-project.org/c/qt/qtbase/+/255384
Patch2001: 0002-Synthesize-Enter-LeaveEvent-for-accepted-QTabletEven.patch