Headline
CVE-2021-28025: Out of bounds read in function `QRadialFetchSimd<QSimdSse2>::fetch` when input craft svg file
Integer Overflow vulnerability in qsvghandler.cpp in Qt qtsvg versions 5.15.1, 6.0.0, 6.0.2, and 6.2, allows local attackers to cause a denial of service (DoS).
./qtsvg_svg_qsvgrenderer_render ./1.svg
INFO: Seed: 3360833592 ./qtsvg_svg_qsvgrenderer_render: Running 1 inputs 1 time(s) each. Running: ./1.svg UndefinedBehaviorSanitizer:DEADLYSIGNAL ==12881==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0xfffffffe01e5cbd0 (pc 0x00000086cd75 bp 0x7fffffff7bb0 sp 0x7fffffff7a30 T12881) ==12881==The signal is caused by a READ memory access.
UndefinedBehaviorSanitizer can not provide additional info. SUMMARY: UndefinedBehaviorSanitizer: SEGV /src/qt/qtbase/src/gui/painting/qdrawhelper_p.h:601:13 in QRadialFetchSimd<QSimdSse2>::fetch(unsigned int*, unsigned int*, Operator const*, QSpanData const*, double, double, double, double, double) ==12881==ABORTING
I think the invalid sign extension on 0x86cd6d causes integer overflow to be the root cause of this vulnerability
[----------------------------------registers-----------------------------------] RAX: 0x0 RBX: 0xffffffff RCX: 0xffffffff RDX: 0x1e5cea0 --> 0xffff0000ffff0000 RSI: 0xffffffff80000000 ^^^^^^^^^^^^^^^^^^ RDI: 0x7ff RBP: 0x7fffffff7b50 --> 0x7fffffff7be0 --> 0x7fffffff7c00 --> 0x7fffffff7c40 --> 0x7fffffff7cc0 --> 0x7fffffffbe30 (–> …) RSP: 0x7fffffff79d0 --> 0x7ff000007ff RIP: 0x86cd75 (<QRadialFetchSimd<QSimdSse2>::fetch(unsigned int*, unsigned int*, Operator const*, QSpanData const*, double, double, double, double, double)+725>: and ecx,DWORD PTR [rdx+rsi*4]) R8 : 0x0 R9 : 0x1 R10: 0x7fffffffc0a8 --> 0xbff0000000000000 R11: 0x1 R12: 0x7fffffff7ce0 --> 0x3fbeb85100000003 R13: 0x7fffffff9d78 --> 0x0 R14: 0x7fffffff9d7c --> 0x0 R15: 0x1e545c8 --> 0x1e4d310 --> 0xf6d8cb00 EFLAGS: 0x286 (carry PARITY adjust zero SIGN trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x86cd64 <QRadialFetchSimd<QSimdSse2>::fetch(unsigned int*, unsigned int*, Operator const*, QSpanData const*, double, double, double, double, double)+708>: or ecx,ebx 0x86cd66 <QRadialFetchSimd<QSimdSse2>::fetch(unsigned int*, unsigned int*, Operator const*, QSpanData const*, double, double, double, double, double)+710>: mov rdx,QWORD PTR [r15+0xe0] 0x86cd6d <QRadialFetchSimd<QSimdSse2>::fetch(unsigned int*, unsigned int*, Operator const*, QSpanData const*, double, double, double, double, double)+717>: movsxd rsi,DWORD PTR [rbp+rax*1-0xf0] => 0x86cd75 <QRadialFetchSimd<QSimdSse2>::fetch(unsigned int*, unsigned int*, Operator const*, QSpanData const*, double, double, double, double, double)+725>: and ecx,DWORD PTR [rdx+rsi*4] 0x86cd78 <QRadialFetchSimd<QSimdSse2>::fetch(unsigned int*, unsigned int*, Operator const*, QSpanData const*, double, double, double, double, double)+728>: mov DWORD PTR [r13+rax*1+0x0],ecx 0x86cd7d <QRadialFetchSimd<QSimdSse2>::fetch(unsigned int*, unsigned int*, Operator const*, QSpanData const*, double, double, double, double, double)+733>: add rax,0x4 0x86cd81 <QRadialFetchSimd<QSimdSse2>::fetch(unsigned int*, unsigned int*, Operator const*, QSpanData const*, double, double, double, double, double)+737>: cmp rax,0x10 0x86cd85 <QRadialFetchSimd<QSimdSse2>::fetch(unsigned int*, unsigned int*, Operator const*, QSpanData const*, double, double, double, double, double)+741>: jne 0x86cd60 <QRadialFetchSimd<QSimdSse2>::fetch(unsigned int*, unsigned int*, Operator const*, QSpanData const*, double, double, double, double, double)+704>: jne 0x86cd60 <QRadialFetchSimd<QSimdSse2>::fetch(unsigned int*, unsigned int*, Operator const*, QSpanData const*, double, double, double, double, double)+704> [------------------------------------stack-------------------------------------] 0000| 0x7fffffff79d0 --> 0x7ff000007ff 0008| 0x7fffffff79d8 --> 0x7ff000007ff 0016| 0x7fffffff79e0 --> 0x7ff000007ff 0024| 0x7fffffff79e8 --> 0x7ff000007ff 0032| 0x7fffffff79f0 --> 0x3ff000003ff 0040| 0x7fffffff79f8 --> 0x3ff000003ff 0048| 0x7fffffff7a00 --> 0xffc00000ffc00000 0056| 0x7fffffff7a08 --> 0xffc00000ffc00000 [------------------------------------------------------------------------------] Legend: code, data, rodata, value 0x000000000086cd75 601 FETCH_RADIAL_LOOP(FETCH_RADIAL_LOOP_CLAMP_PAD) gdb-peda$ x/gx 0x7fffffff7b50-0xf0 0x7fffffff7a60: 0x8000000080000000 ^^^^^^^^^^^^^^^^^^