-
-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
heap buffer overflow in PropertiesWidget::displayFilesListMenu #1978
Comments
I found an error: const QModelIndex index = *(selectedRows.begin()); // empty check is required! |
I thought that I had recently disabled showing popup menus when nothing was selected... |
Yes, I use latest git master. Look at src/properties/propertieswidget.cpp:495. The problem is not when no torrents are selected, but when some torrent is selected, but I right-clicked on empty space. |
As pull request is merged, I think this could be closed. |
(you can close issues that you have opened too) |
I compiled qbittorrent with enabled address-sanitizer. http://code.google.com/p/address-sanitizer/
qbittorrent crashes when I select some torrent with few files and then right-click on empty space in file list.
ivan@liberty:~/d/qbittorrent$ src/qbittorrent
==12425== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x600600dfb7a8 at pc 0x69097b bp 0x7fffa4273560 sp 0x7fffa4273558
READ of size 8 at 0x600600dfb7a8 thread T0
#0 0x69097a in QList::Node::t() /usr/include/qt4/QtCore/qlist.h:114
#1 0x69097a in QList::iterator::operator_() const /usr/include/qt4/QtCore/qlist.h:193
#2 0x69097a in PropertiesWidget::displayFilesListMenu(QPoint const&) /home/ivan/d/qbittorrent/src/properties/propertieswidget.cpp:495
#3 0x7ff55e49d879 (/usr/lib/x86_64-linux-gnu/libQtCore.so.4+0x191879)
#4 0x7ff55ed44a61 (/usr/lib/x86_64-linux-gnu/libQtGui.so.4+0x20ba61)
#5 0x7ff55ed528e6 (/usr/lib/x86_64-linux-gnu/libQtGui.so.4+0x2198e6)
#6 0x7ff55f0f3fcd (/usr/lib/x86_64-linux-gnu/libQtGui.so.4+0x5bafcd)
#7 0x7ff55f2035b2 (/usr/lib/x86_64-linux-gnu/libQtGui.so.4+0x6ca5b2)
#8 0x7ff55f24218f (/usr/lib/x86_64-linux-gnu/libQtGui.so.4+0x70918f)
#9 0x7ff55e489645 (/usr/lib/x86_64-linux-gnu/libQtCore.so.4+0x17d645)
#10 0x7ff55ed02e0b (/usr/lib/x86_64-linux-gnu/libQtGui.so.4+0x1c9e0b)
#11 0x7ff55ed0a1f7 (/usr/lib/x86_64-linux-gnu/libQtGui.so.4+0x1d11f7)
#12 0x823321 in SessionApplication::notify(QObject_, QEvent*) /home/ivan/d/qbittorrent/src/sessionapplication.cpp:44
#13 0x7ff55e4894dc (/usr/lib/x86_64-linux-gnu/libQtCore.so.4+0x17d4dc)
#14 0x7ff55ed7da1f (/usr/lib/x86_64-linux-gnu/libQtGui.so.4+0x244a1f)
#15 0x7ff55ed7d268 (/usr/lib/x86_64-linux-gnu/libQtGui.so.4+0x244268)
#16 0x7ff55eda4b01 (/usr/lib/x86_64-linux-gnu/libQtGui.so.4+0x26bb01)
#17 0x7ff55cbc9e03 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x48e03)
#18 0x7ff55cbca047 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x49047)
#19 0x7ff55cbca0eb (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x490eb)
#20 0x7ff55e4b67a0 (/usr/lib/x86_64-linux-gnu/libQtCore.so.4+0x1aa7a0)
#21 0x7ff55eda4bb5 (/usr/lib/x86_64-linux-gnu/libQtGui.so.4+0x26bbb5)
#22 0x7ff55e4880ae (/usr/lib/x86_64-linux-gnu/libQtCore.so.4+0x17c0ae)
#23 0x7ff55e4883a4 (/usr/lib/x86_64-linux-gnu/libQtCore.so.4+0x17c3a4)
#24 0x7ff55e48db78 (/usr/lib/x86_64-linux-gnu/libQtCore.so.4+0x181b78)
#25 0x512c06 in main /home/ivan/d/qbittorrent/src/main.cpp:394
#26 0x7ff55d747ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
#27 0x517994 in _start (/home/ivan/d/qbittorrent/src/qbittorrent+0x517994)
0x600600dfb7a8 is located 0 bytes to the right of 24-byte region [0x600600dfb790,0x600600dfb7a8)
allocated by thread T0 here:
#0 0x7ff56093441a (/usr/lib/x86_64-linux-gnu/libasan.so.0+0x1541a)
#1 0x7ff55e3a42d0 (/usr/lib/x86_64-linux-gnu/libQtCore.so.4+0x982d0)
SUMMARY: AddressSanitizer: heap-buffer-overflow /usr/include/qt4/QtCore/qabstractitemmodel.h:65 QModelIndex
Shadow bytes around the buggy address:
0x0c01401b76a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c01401b76b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c01401b76c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c01401b76d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c01401b76e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c01401b76f0: fa fa 00 00 00[fa]fa fa 00 00 00 00 fa fa fd fd
0x0c01401b7700: fd fd fa fa fd fd fd fd fa fa 00 00 00 00 fa fa
0x0c01401b7710: 00 00 00 fa fa fa 00 00 00 fa fa fa fd fd fd fd
0x0c01401b7720: fa fa 00 00 00 00 fa fa fd fd fd fd fa fa fd fd
0x0c01401b7730: fd fd fa fa 00 00 00 fa fa fa fd fd fd fd fa fa
0x0c01401b7740: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap righ redzone: fb
Freed Heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==12425== ABORTING
The text was updated successfully, but these errors were encountered: