diff options
| author | Shawn Rutledge <shawn.rutledge@qt.io> | 2020-02-24 16:23:27 +0100 |
|---|---|---|
| committer | Shawn Rutledge <shawn.rutledge@qt.io> | 2020-02-28 09:31:59 +0100 |
| commit | 7447e2b337f12b4d04935d0f30fc673e4327d5a0 (patch) | |
| tree | e6dfaac556c0e2ccb745bd9d13145b2ed3690f1d /tests | |
| parent | eaf7f572bfbcb33b106097923f4e0efdd9c683fc (diff) | |
QTextMarkdownImporter: fix use after free; add fuzz-generated tests
It was possible to end up with a dangling pointer in m_listStack.
This is now avoided by using QPointer and doing nullptr checks before
accessing any QTextList pointer stored there.
We have 2 specimens of garbage that caused crashes before; now they don't.
But only fuzz20450 triggered the dangling pointer in the list stack.
The crash caused by fuzz20580 was fixed by updating md4c from upstream:
4b0fc030777cd541604f5ebaaad47a2b76d61ff9
Change-Id: I8e1eca23b281256a03aea0f55e9ae20f1bdd2a38
Reviewed-by: Robert Loehning <robert.loehning@qt.io>
Diffstat (limited to 'tests')
4 files changed, 32 insertions, 0 deletions
diff --git a/tests/auto/gui/text/qtextmarkdownimporter/data/fuzz20450.md b/tests/auto/gui/text/qtextmarkdownimporter/data/fuzz20450.md new file mode 100644 index 0000000000..d7005cb01e --- /dev/null +++ b/tests/auto/gui/text/qtextmarkdownimporter/data/fuzz20450.md @@ -0,0 +1,5 @@ +<t>ÿ +* ÿ + + ÿ +* ÿ
\ No newline at end of file diff --git a/tests/auto/gui/text/qtextmarkdownimporter/data/fuzz20580.md b/tests/auto/gui/text/qtextmarkdownimporter/data/fuzz20580.md new file mode 100644 index 0000000000..22006f5876 --- /dev/null +++ b/tests/auto/gui/text/qtextmarkdownimporter/data/fuzz20580.md @@ -0,0 +1 @@ +|
--:|
<?`?><?|`
\ No newline at end of file diff --git a/tests/auto/gui/text/qtextmarkdownimporter/qtextmarkdownimporter.pro b/tests/auto/gui/text/qtextmarkdownimporter/qtextmarkdownimporter.pro index 7b7fb61244..f3818efbf7 100644 --- a/tests/auto/gui/text/qtextmarkdownimporter/qtextmarkdownimporter.pro +++ b/tests/auto/gui/text/qtextmarkdownimporter/qtextmarkdownimporter.pro @@ -5,5 +5,7 @@ SOURCES += tst_qtextmarkdownimporter.cpp TESTDATA += \ data/thematicBreaks.md \ data/headingBulletsContinuations.md \ + data/fuzz20450.md \ + data/fuzz20580.md \ DEFINES += SRCDIR=\\\"$$PWD\\\" diff --git a/tests/auto/gui/text/qtextmarkdownimporter/tst_qtextmarkdownimporter.cpp b/tests/auto/gui/text/qtextmarkdownimporter/tst_qtextmarkdownimporter.cpp index 39a1370f6f..5eb04af696 100644 --- a/tests/auto/gui/text/qtextmarkdownimporter/tst_qtextmarkdownimporter.cpp +++ b/tests/auto/gui/text/qtextmarkdownimporter/tst_qtextmarkdownimporter.cpp @@ -57,6 +57,8 @@ private slots: void lists(); void avoidBlankLineAtBeginning_data(); void avoidBlankLineAtBeginning(); + void pathological_data(); + void pathological(); }; void tst_QTextMarkdownImporter::headingBulletsContinuations() @@ -256,5 +258,27 @@ void tst_QTextMarkdownImporter::avoidBlankLineAtBeginning() // QTBUG-81060 QCOMPARE(i, expectedNumberOfParagraphs); } +void tst_QTextMarkdownImporter::pathological_data() +{ + QTest::addColumn<QString>("warning"); + QTest::newRow("fuzz20450") << "attempted to insert into a list that no longer exists"; + QTest::newRow("fuzz20580") << ""; +} + +void tst_QTextMarkdownImporter::pathological() // avoid crashing on crazy input +{ + QFETCH(QString, warning); + QString filename = QLatin1String("data/") + QTest::currentDataTag() + QLatin1String(".md"); + QFile f(QFINDTESTDATA(filename)); + QVERIFY(f.open(QFile::ReadOnly)); +#ifdef QT_NO_DEBUG + Q_UNUSED(warning) +#else + if (!warning.isEmpty()) + QTest::ignoreMessage(QtWarningMsg, warning.toLatin1()); +#endif + QTextDocument().setMarkdown(f.readAll()); +} + QTEST_MAIN(tst_QTextMarkdownImporter) #include "tst_qtextmarkdownimporter.moc" |