From 2a80c04d3bbc45b5d1293a5141839c0b4719f772 Mon Sep 17 00:00:00 2001 From: Simon Hausmann Date: Thu, 15 Feb 2018 11:02:07 +0100 Subject: Fix crash when reading window titles with XCB This is a regression introduced with commit cb142954c54b7a6e391950d9209b5cea9252092b that changed the code from using QString:fromUtf8(name, propertyLength) to QString::fromUtf8(name), assuming that the property name is a zero-terminated string. That however is not correct. ASAN trace: ==4039==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400001e0b4 at pc 0x7f3383c7d66e bp 0x7ffdc8e3d9b0 sp 0x7ffdc8e3d158 READ of size 5 at 0x60400001e0b4 thread T0 #0 0x7f3383c7d66d (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x5166d) #1 0x7f337602f32a in QString::fromUtf8(char const*, int) ../../../../include/QtCore/../../src/corelib/tools/qstring.h:569 #2 0x7f337602f32a in QXcbWindow::windowTitle(QXcbConnection const*, unsigned int) /home/simon/dev/qt-5.11/qtbase/src/plugins/platforms/xcb/qxcbwindow.cpp:2861 [...] 0x60400001e0b4 is located 0 bytes to the right of 36-byte region [0x60400001e090,0x60400001e0b4) allocated by thread T1 (QXcbEventReader) here: #0 0x7f3383d0ab50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50) #1 0x7f337b397e2b (/usr/lib/x86_64-linux-gnu/libxcb.so.1+0xde2b) Change-Id: Ia5024602d3aacb924b5dcd3956672da2a8f10feb Reviewed-by: Friedemann Kleint --- src/plugins/platforms/xcb/qxcbwindow.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src/plugins/platforms/xcb') diff --git a/src/plugins/platforms/xcb/qxcbwindow.cpp b/src/plugins/platforms/xcb/qxcbwindow.cpp index 61cfed4db7..e9a6e536a7 100644 --- a/src/plugins/platforms/xcb/qxcbwindow.cpp +++ b/src/plugins/platforms/xcb/qxcbwindow.cpp @@ -2857,7 +2857,7 @@ QString QXcbWindow::windowTitle(const QXcbConnection *conn, xcb_window_t window) utf8Atom, 0, 1024); if (reply && reply->format == 8 && reply->type == utf8Atom) { const char *name = reinterpret_cast(xcb_get_property_value(reply.get())); - return QString::fromUtf8(name); + return QString::fromUtf8(name, xcb_get_property_value_length(reply.get())); } return QString(); } -- cgit v1.2.3