Wireshark-commits: [Wireshark-commits] master 6bc138c: Qt: fix heap use-after-free wrt. data source
From: Wireshark code review <code-review-do-not-reply@xxxxxxxxxxxxx>
Date: Sun, 8 Mar 2015 21:56:46 +0000 (UTC)
URL: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=6bc138c87a32f7f707e40eaf006128936792bb0b
Submitter: Gerald Combs (gerald@xxxxxxxxxxxxx)
Changed: branch: master
Repository: wireshark

Commits:

6bc138c by Peter Wu (peter@xxxxxxxxxxxxx):

    Qt: fix heap use-after-free wrt. data sources
    
    When a different packet is changed, the packet scoped memory for tvbuff
    is freed before clearing data source tabs. This results in
    heap-use-after free when resizeEvent is called as a result of clearing
    tabs for data sources.
    
    Avoid resize events by hiding the tabs.
    
    Caught with ASAN:
    
        ==18816==ERROR: AddressSanitizer: heap-use-after-free on address 0x6060004cd970 at pc 0x7fffebf46618 bp 0x7fffffffbb10 sp 0x7fffffffbb00
        READ of size 4 at 0x6060004cd970 thread T0
            #0 0x7fffebf46617 in tvb_captured_length epan/tvbuff.c:423
            #1 0x773062 in ByteViewText::updateScrollbars() ui/qt/byte_view_text.cpp:489
            #2 0x76f307 in ByteViewText::resizeEvent(QResizeEvent*) ui/qt/byte_view_text.cpp:197
            ...
            #24 0x9f2348 in ByteViewText::~ByteViewText() ui/qt/byte_view_text.h:46
            #25 0x9f23f5 in ByteViewText::~ByteViewText() ui/qt/byte_view_text.h:46
            #26 0x76b9d6 in ByteViewTab::clear() ui/qt/byte_view_tab.cpp:54
            #27 0x5de685 in PacketList::selectionChanged(QItemSelection const&, QItemSelection const&) ui/qt/packet_list.cpp:477
            ...
    
        freed by thread T0 here:
            ...
            #5 0x53d763 in cf_select_packet file.c:3827
            #6 0x5ddfa5 in PacketList::selectionChanged(QItemSelection const&, QItemSelection const&) ui/qt/packet_list.cpp:454
            #7 0x7fffe58ec980 (/usr/lib/libQt5Widgets.so.5+0x3bc980)
            #8 0x7fffe4d55dd6 in QItemSelectionModel::selectionChanged(QItemSelection const&, QItemSelection const&) (/usr/lib/libQt5Core.so.5+0x23fdd6)
            ...
    
    Change-Id: I9c1c01398713389de58259d13ebbaddd2d6e5c52
    Reviewed-on: https://code.wireshark.org/review/7589
    Reviewed-by: Peter Wu <peter@xxxxxxxxxxxxx>
    Reviewed-by: Gerald Combs <gerald@xxxxxxxxxxxxx>
    

Actions performed:

    from  758ee3d   Qt: fix use of uninitialized variable
    adds  6bc138c   Qt: fix heap use-after-free wrt. data sources


Summary of changes:
 ui/qt/byte_view_tab.cpp |    2 ++
 1 file changed, 2 insertions(+)