heap buffer overflow in PropertiesWidget::displayFilesListMenu #1710

New issue

Closed

opened 2026-02-21 15:48:43 -05:00 by deekerman · 5 comments

deekerman commented 2026-02-21 15:48:43 -05:00

Owner

Copy link

Originally created by @sorokin on GitHub (Sep 29, 2014).

I compiled qbittorrent with enabled address-sanitizer. http://code.google.com/p/address-sanitizer/

qbittorrent crashes when I select some torrent with few files and then right-click on empty space in file list.

ivan@liberty:~/d/qbittorrent$ src/qbittorrent

==12425== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x600600dfb7a8 at pc 0x69097b bp 0x7fffa4273560 sp 0x7fffa4273558
READ of size 8 at 0x600600dfb7a8 thread T0
#0 0x69097a in QList::Node::t() /usr/include/qt4/QtCore/qlist.h:114
#1 0x69097a in QList::iterator::operator_() const /usr/include/qt4/QtCore/qlist.h:193
#2 0x69097a in PropertiesWidget::displayFilesListMenu(QPoint const&) /home/ivan/d/qbittorrent/src/properties/propertieswidget.cpp:495
#3 0x7ff55e49d879 (/usr/lib/x86_64-linux-gnu/libQtCore.so.4+0x191879)
#4 0x7ff55ed44a61 (/usr/lib/x86_64-linux-gnu/libQtGui.so.4+0x20ba61)
#5 0x7ff55ed528e6 (/usr/lib/x86_64-linux-gnu/libQtGui.so.4+0x2198e6)
#6 0x7ff55f0f3fcd (/usr/lib/x86_64-linux-gnu/libQtGui.so.4+0x5bafcd)
#7 0x7ff55f2035b2 (/usr/lib/x86_64-linux-gnu/libQtGui.so.4+0x6ca5b2)
#8 0x7ff55f24218f (/usr/lib/x86_64-linux-gnu/libQtGui.so.4+0x70918f)
#9 0x7ff55e489645 (/usr/lib/x86_64-linux-gnu/libQtCore.so.4+0x17d645)
#10 0x7ff55ed02e0b (/usr/lib/x86_64-linux-gnu/libQtGui.so.4+0x1c9e0b)
#11 0x7ff55ed0a1f7 (/usr/lib/x86_64-linux-gnu/libQtGui.so.4+0x1d11f7)
#12 0x823321 in SessionApplication::notify(QObject_, QEvent*) /home/ivan/d/qbittorrent/src/sessionapplication.cpp:44
#13 0x7ff55e4894dc (/usr/lib/x86_64-linux-gnu/libQtCore.so.4+0x17d4dc)
#14 0x7ff55ed7da1f (/usr/lib/x86_64-linux-gnu/libQtGui.so.4+0x244a1f)
#15 0x7ff55ed7d268 (/usr/lib/x86_64-linux-gnu/libQtGui.so.4+0x244268)
#16 0x7ff55eda4b01 (/usr/lib/x86_64-linux-gnu/libQtGui.so.4+0x26bb01)
#17 0x7ff55cbc9e03 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x48e03)
#18 0x7ff55cbca047 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x49047)
#19 0x7ff55cbca0eb (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x490eb)
#20 0x7ff55e4b67a0 (/usr/lib/x86_64-linux-gnu/libQtCore.so.4+0x1aa7a0)
#21 0x7ff55eda4bb5 (/usr/lib/x86_64-linux-gnu/libQtGui.so.4+0x26bbb5)
#22 0x7ff55e4880ae (/usr/lib/x86_64-linux-gnu/libQtCore.so.4+0x17c0ae)
#23 0x7ff55e4883a4 (/usr/lib/x86_64-linux-gnu/libQtCore.so.4+0x17c3a4)
#24 0x7ff55e48db78 (/usr/lib/x86_64-linux-gnu/libQtCore.so.4+0x181b78)
#25 0x512c06 in main /home/ivan/d/qbittorrent/src/main.cpp:394
#26 0x7ff55d747ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
#27 0x517994 in _start (/home/ivan/d/qbittorrent/src/qbittorrent+0x517994)
0x600600dfb7a8 is located 0 bytes to the right of 24-byte region [0x600600dfb790,0x600600dfb7a8)
allocated by thread T0 here:
#0 0x7ff56093441a (/usr/lib/x86_64-linux-gnu/libasan.so.0+0x1541a)
#1 0x7ff55e3a42d0 (/usr/lib/x86_64-linux-gnu/libQtCore.so.4+0x982d0)
SUMMARY: AddressSanitizer: heap-buffer-overflow /usr/include/qt4/QtCore/qabstractitemmodel.h:65 QModelIndex
Shadow bytes around the buggy address:
0x0c01401b76a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c01401b76b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c01401b76c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c01401b76d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c01401b76e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c01401b76f0: fa fa 00 00 00[fa]fa fa 00 00 00 00 fa fa fd fd
0x0c01401b7700: fd fd fa fa fd fd fd fd fa fa 00 00 00 00 fa fa
0x0c01401b7710: 00 00 00 fa fa fa 00 00 00 fa fa fa fd fd fd fd
0x0c01401b7720: fa fa 00 00 00 00 fa fa fd fd fd fd fa fa fd fd
0x0c01401b7730: fd fd fa fa 00 00 00 fa fa fa fd fd fd fd fa fa
0x0c01401b7740: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap righ redzone: fb
Freed Heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==12425== ABORTING

Originally created by @sorokin on GitHub (Sep 29, 2014). I compiled qbittorrent with enabled address-sanitizer. http://code.google.com/p/address-sanitizer/ qbittorrent crashes when I select some torrent with few files and then right-click on empty space in file list. # ivan@liberty:~/d/qbittorrent$ src/qbittorrent ==12425== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x600600dfb7a8 at pc 0x69097b bp 0x7fffa4273560 sp 0x7fffa4273558 READ of size 8 at 0x600600dfb7a8 thread T0 #0 0x69097a in QList<QModelIndex>::Node::t() /usr/include/qt4/QtCore/qlist.h:114 #1 0x69097a in QList<QModelIndex>::iterator::operator_() const /usr/include/qt4/QtCore/qlist.h:193 #2 0x69097a in PropertiesWidget::displayFilesListMenu(QPoint const&) /home/ivan/d/qbittorrent/src/properties/propertieswidget.cpp:495 #3 0x7ff55e49d879 (/usr/lib/x86_64-linux-gnu/libQtCore.so.4+0x191879) #4 0x7ff55ed44a61 (/usr/lib/x86_64-linux-gnu/libQtGui.so.4+0x20ba61) #5 0x7ff55ed528e6 (/usr/lib/x86_64-linux-gnu/libQtGui.so.4+0x2198e6) #6 0x7ff55f0f3fcd (/usr/lib/x86_64-linux-gnu/libQtGui.so.4+0x5bafcd) #7 0x7ff55f2035b2 (/usr/lib/x86_64-linux-gnu/libQtGui.so.4+0x6ca5b2) #8 0x7ff55f24218f (/usr/lib/x86_64-linux-gnu/libQtGui.so.4+0x70918f) #9 0x7ff55e489645 (/usr/lib/x86_64-linux-gnu/libQtCore.so.4+0x17d645) #10 0x7ff55ed02e0b (/usr/lib/x86_64-linux-gnu/libQtGui.so.4+0x1c9e0b) #11 0x7ff55ed0a1f7 (/usr/lib/x86_64-linux-gnu/libQtGui.so.4+0x1d11f7) #12 0x823321 in SessionApplication::notify(QObject_, QEvent*) /home/ivan/d/qbittorrent/src/sessionapplication.cpp:44 #13 0x7ff55e4894dc (/usr/lib/x86_64-linux-gnu/libQtCore.so.4+0x17d4dc) #14 0x7ff55ed7da1f (/usr/lib/x86_64-linux-gnu/libQtGui.so.4+0x244a1f) #15 0x7ff55ed7d268 (/usr/lib/x86_64-linux-gnu/libQtGui.so.4+0x244268) #16 0x7ff55eda4b01 (/usr/lib/x86_64-linux-gnu/libQtGui.so.4+0x26bb01) #17 0x7ff55cbc9e03 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x48e03) #18 0x7ff55cbca047 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x49047) #19 0x7ff55cbca0eb (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x490eb) #20 0x7ff55e4b67a0 (/usr/lib/x86_64-linux-gnu/libQtCore.so.4+0x1aa7a0) #21 0x7ff55eda4bb5 (/usr/lib/x86_64-linux-gnu/libQtGui.so.4+0x26bbb5) #22 0x7ff55e4880ae (/usr/lib/x86_64-linux-gnu/libQtCore.so.4+0x17c0ae) #23 0x7ff55e4883a4 (/usr/lib/x86_64-linux-gnu/libQtCore.so.4+0x17c3a4) #24 0x7ff55e48db78 (/usr/lib/x86_64-linux-gnu/libQtCore.so.4+0x181b78) #25 0x512c06 in main /home/ivan/d/qbittorrent/src/main.cpp:394 #26 0x7ff55d747ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4) #27 0x517994 in _start (/home/ivan/d/qbittorrent/src/qbittorrent+0x517994) 0x600600dfb7a8 is located 0 bytes to the right of 24-byte region [0x600600dfb790,0x600600dfb7a8) allocated by thread T0 here: #0 0x7ff56093441a (/usr/lib/x86_64-linux-gnu/libasan.so.0+0x1541a) #1 0x7ff55e3a42d0 (/usr/lib/x86_64-linux-gnu/libQtCore.so.4+0x982d0) SUMMARY: AddressSanitizer: heap-buffer-overflow /usr/include/qt4/QtCore/qabstractitemmodel.h:65 QModelIndex Shadow bytes around the buggy address: 0x0c01401b76a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c01401b76b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c01401b76c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c01401b76d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c01401b76e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c01401b76f0: fa fa 00 00 00[fa]fa fa 00 00 00 00 fa fa fd fd 0x0c01401b7700: fd fd fa fa fd fd fd fd fa fa 00 00 00 00 fa fa 0x0c01401b7710: 00 00 00 fa fa fa 00 00 00 fa fa fa fd fd fd fd 0x0c01401b7720: fa fa 00 00 00 00 fa fa fd fd fd fd fa fa fd fd 0x0c01401b7730: fd fd fa fa 00 00 00 fa fa fa fd fd fd fd fa fa 0x0c01401b7740: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap righ redzone: fb Freed Heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 ASan internal: fe ==12425== ABORTING

deekerman closed this issue 2026-02-21 15:48:45 -05:00

deekerman commented 2026-02-21 15:48:48 -05:00

Author

Owner

Copy link

@sorokin commented on GitHub (Sep 29, 2014):

I found an error:

const QModelIndex index = *(selectedRows.begin()); // empty check is required!
if (!index.isValid())
return;

@sorokin commented on GitHub (Sep 29, 2014): I found an error: const QModelIndex index = *(selectedRows.begin()); // empty check is required! if (!index.isValid()) return;

deekerman commented 2026-02-21 15:48:48 -05:00

Author

Owner

Copy link

@sledgehammer999 commented on GitHub (Sep 29, 2014):

I thought that I had recently disabled showing popup menus when nothing was selected...
I assume you use latest git master, right?

@sledgehammer999 commented on GitHub (Sep 29, 2014): I thought that I had recently disabled showing popup menus when nothing was selected... I assume you use latest git master, right?

deekerman commented 2026-02-21 15:48:48 -05:00

Author

Owner

Copy link

@sorokin commented on GitHub (Sep 30, 2014):

Yes, I use latest git master. Look at src/properties/propertieswidget.cpp:495. The problem is not when no torrents are selected, but when some torrent is selected, but I right-clicked on empty space.

@sorokin commented on GitHub (Sep 30, 2014): Yes, I use latest git master. Look at src/properties/propertieswidget.cpp:495. The problem is not when no torrents are selected, but when some torrent is selected, but I right-clicked on empty space.

deekerman commented 2026-02-21 15:48:48 -05:00

Author

Owner

Copy link

@sorokin commented on GitHub (Oct 1, 2014):

As pull request is merged, I think this could be closed.

@sorokin commented on GitHub (Oct 1, 2014): As pull request is merged, I think this could be closed.

deekerman commented 2026-02-21 15:48:48 -05:00

Author

Owner

Copy link

@sledgehammer999 commented on GitHub (Oct 1, 2014):

(you can close issues that you have opened too)

@sledgehammer999 commented on GitHub (Oct 1, 2014): (you can close issues that you have opened too)

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

v5_2_x

v5_1_x

debian

v5_0_x

v4_6_x

v4_5_x

v4_4_x

v4_3_x

v4_2_x

v4_1_x

v4_0_x

v3_3_x

v3_2_x

v3_1_x

v3_0_x

search_encoding_windows

v2_9_x

release-5.1.4

release-5.1.3

release-5.1.2

release-5.1.1

release-5.1.0

release-5.0.5

release-5.0.4

release-5.1.0rc1

release-5.1.0beta1

release-5.0.3

release-5.0.2

release-5.0.1

release-5.0.0

release-4.6.7

release-5.0.0rc1

release-4.6.6

release-4.6.5

release-4.6.4

release-5.0.0beta1

release-4.6.3

release-4.6.2

release-4.6.1

release-4.6.0

release-4.6.0rc2

release-4.5.5

release-4.6.0rc1

release-4.6.0beta1

release-4.5.4

release-4.6.0alpha1

release-4.5.3

release-4.5.2

release-4.5.1

release-4.5.0

release-4.5.0beta1

release-4.4.5

release-4.4.4

release-4.4.3.1

release-4.4.3

release-4.4.2

release-4.4.1

release-4.4.0

release-4.3.9

release-4.4.0rc1

release-4.3.8

release-4.4.0beta3

release-4.3.7

release-4.4.0beta2

release-4.4.0beta1

release-4.3.6

release-4.3.5

release-4.3.4.1

release-4.3.4

release-4.3.3

release-4.3.2

release-4.3.1

release-4.3.0.1

release-4.3.0

release-4.2.5

release-4.2.4

release-4.2.3

release-4.2.2

release-4.2.1

release-4.2.0

release-4.1.9.1

release-4.1.9

release-4.1.8

release-4.1.7

release-4.1.6

release-4.1.5

release-4.1.4

release-4.1.3

release-4.1.2

release-4.1.1

release-4.1.0

release-4.0.4

release-4.0.3

release-4.0.2

release-4.0.1

release-4.0.0

release-3.3.16

release-3.3.15

release-3.3.14

release-3.3.13

release-3.3.12

release-3.3.11

release-3.3.10

release-3.3.9

release-3.3.8

release-3.3.7

release-3.3.6

release-3.3.5

release-3.3.4

release-3.3.3

release-3.3.2

release-3.3.1

release-3.3.0

release-3.2.5

release-3.2.4

release-3.2.3

release-3.2.2

release-3.2.1

release-3.2.0

release-3.1.12

release-3.1.11

release-3.1.10

release-3.1.9.2

release-3.1.9.1

release-3.1.9

release-3.1.8

release-3.1.7

release-3.1.6

release-3.1.5

release-3.1.4

release-3.1.3

release-3.1.2

release-3.1.1

release-3.1.0

release-3.0.11

release-3.0.10

release-3.0.9

release-3.0.8

release-3.0.7

release-3.0.6

release-3.0.5

release-3.0.4

release-3.0.3

release-3.0.2

release-3.0.1

release-3.0.0

release-2.9.11

release-2.9.10

release-2.9.9

release-2.9.8

release-2.9.7

release-2.9.6

release-2.9.5

release-2.9.4

release-2.9.3

release-2.9.0

release-2.8.5

release-2.8.4

release-2.8.3

release-2.8.2

release-2.7.1

release-2.7.0

release-2.6.9

release-2.6.8

release-2.6.7

release-2.6.5

release-2.6.4

release-2.6.3

release-2.6.2

release-2.6.1

release-2.6.0

release-2.5.5

release-2.5.4

release-2.5.3

release-2.5.2

release-2.5.0

release-2.5.0rc1

release-2.4.11

release-2.5.0beta6

release-2.5.0beta5

release-2.5.0beta3

release-2.4.10

release-2.4.8

release-2.5.0beta2

release-2.5.0beta1

release-2.4.6

release-2.4.4

release-2.4.2

release-2.4.0

release-2.4.0rc3

release-2.4.0rc1

release-2.4.0beta3

release-2.4.0beta1

release-2.3.1

release-2.3.0

release-2.3.0rc6

release-2.2.11

release-2.3.0rc5

release-2.2.10

release-2.2.9

release-2.2.8

release-2.2.6

release-2.2.5

release-2.2.3

release-2.2.2

release-2.2.1

release-2.2.0

release-2.1.6

release-2.1.4

release-2.1.2

release-2.1.1

release-2.1.0

release-2.0.7

release-2.0.6

release-2.0.5

release-2.0.3

release-2.0.2

release-2.0.0

release-2.0.0rc6

release-2.0.0rc2

release-1.5.6

release-1.5.4

release-1.5.3

release-1.5.0

release-1.5.0rc5

release-1.5.0rc4

release-1.5.0rc3

release-1.5.0rc1

release-1.5.0beta4

release-1.5.0beta3

release-1.5.0beta2

release-1.5.0beta1

release-1.4.1

release-1.4.0

release-1.4.0rc2

release-1.4.0rc1

release-1.3.5

release-1.4.0beta3

release-1.3.4

release-1.3.3

release-1.3.1

release-1.3.0

release-1.2.1

release-1.2.0rc1

release-1.2.0beta6

release-1.1.4

release-1.2.0beta5

release-1.1.3

release-1.2.0beta3

release-1.1.2

release-1.2.0beta2

release-1.1.1

release-1.2.0beta1

release-1.1.0

release-1.1.0rc2

release-1.1.0rc1

release-1.1.0beta3

release-1.1.0beta2

release-1.0.0

release-1.0.0rc11

release-1.0.0rc10

release-1.0.0rc9

release-1.0.0rc8

release-1.0.0rc7

release-1.0.0rc6

release-1.0.0rc5

release-1.0.0rc4

release-1.0.0rc3

release-0.9.3

release-0.9.2

Labels

Clear labels   

Accessibility

  

AppImage

  

Bounty

  

Build system

  

CI

  

Can't reproduce

  

Code cleanup

  

Confirmed bug

  

Confirmed bug

  

Core

  

Crash

  

Data loss

  

Discussion

  

Docker

  

Documentation

  

Duplicate

  

Feature

  

Feature request

  

Feature request

  

Feature request

  

Filters

  

Flatpak

  

GUI

  

Has workaround

  

I2P

  

Invalid

  

Libtorrent

  

Look and feel

  

Meta

  

NSIS

  

Network

  

Not an issue

  

OS: *BSD

  

OS: Linux

  

OS: Windows

  

OS: macOS

  

PPA

  

Performance

  

Project management

  

Proxy/VPN

  

Qt bugs

  

Qt6 compat

  

RSS

  

Search engine

  

Security

  

Temp folder

  

Themes

  

Translations

  

Triggers

  

Waiting diagnosis

  

Waiting info

  

Waiting upstream

  

Waiting web implementation

  

Watched folders

  

WebAPI

  

WebUI

  

autoCloseOldIssue

No labels

Accessibility

AppImage

Bounty

Build system

CI

Can't reproduce

Code cleanup

Confirmed bug

Confirmed bug

Core

Crash

Data loss

Discussion

Docker

Documentation

Duplicate

Feature

Feature request

Feature request

Feature request

Filters

Flatpak

GUI

Has workaround

I2P

Invalid

Libtorrent

Look and feel

Meta

NSIS

Network

Not an issue

OS: *BSD

OS: Linux

OS: Windows

OS: macOS

PPA

Performance

Project management

Proxy/VPN

Qt bugs

Qt6 compat

RSS

Search engine

Security

Temp folder

Themes

Translations

Triggers

Waiting diagnosis

Waiting info

Waiting upstream

Waiting web implementation

Watched folders

WebAPI

WebUI

autoCloseOldIssue

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/qBittorrent#1710

No description provided.