Fix OOB read in LegacyCodec::decodeFileNameUTF8() if not zero-terminated (!493) · Merge requests · Frameworks / KIO

Alex Richardson requested to merge arichardson/kio:legacy-codec-strlen into master Jul 06, 2021

QByteArray::data() is not necessarily zero-terminated (this can happen here since LegacyCodec::convertToUnicode() uses QByteArray::fromRawData()) and in that case we can read beyond the end of the QByteArray.

I found this by running the KIO unit tests when compiled for CHERI-RISC-V CHERI-enabled architectures such as Arm's Morello use capabilities with permissions and fine-grained bounds instead of integer pointers so this was found with a bounds violation error inside strlen(). While there was indeed a valid zero byte after the end of the string in memory, this zero byte was not included in the bounds of the QByteArray::data() pointer so trying to load it inside strlen() crashed. This error can not be detected with ASan or MTE since the zero byte was part of the same memory allocation as the rest of the string.

Edited Jul 06, 2021 by Alex Richardson

Fix OOB read in LegacyCodec::decodeFileNameUTF8() if not zero-terminated

Merge request reports