QXmlStreamReader: make fastScanName() indicate parsing status to callers

This fixes a crash while parsing an XML file with garbage data, the file
starts with '<' then garbage data:
- The loop in the parse() keeps iterating until it hits "case 262:",
  which calls fastScanName()
- fastScanName() iterates over the text buffer scanning for the
  attribute name (e.g. "xml:lang"), until it finds ':'
- Consider a Value val, fastScanName() is called on it, it would set
  val.prefix to a number > val.len, then it would hit the 4096 condition
  and return (returned 0, now it returns the equivalent of
  std::null_opt), which means that val.len doesn't get modified, making
  it smaller than val.prefix
- The code would try constructing an XmlStringRef with negative length,
  which would hit an assert in one of QStringView's constructors

Add an assert to the XmlStringRef constructor.

Add unittest based on the file from the bug report.

Later on I will replace FastScanNameResult with std::optional<qsizetype>
(std::optional is C++17, which isn't required by Qt 5.15, and we want to
backport this fix).

Credit to OSS-Fuzz.

Fixes: QTBUG-109781
Fixes: QTBUG-114829
Change-Id: I455a5eeb47870c2ac9ffd0cbcdcd99c1ae2dd374
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
(cherry picked from commit 6326bec46a)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
This commit is contained in:
Ahmad Samir 2023-06-22 15:56:07 +03:00 committed by Qt Cherry-pick Bot
parent 47c6473680
commit a13f78144a
5 changed files with 88 additions and 12 deletions

View File

@ -1296,7 +1296,9 @@ inline qsizetype QXmlStreamReaderPrivate::fastScanContentCharList()
return n; return n;
} }
inline qsizetype QXmlStreamReaderPrivate::fastScanName(Value *val) // Fast scan an XML attribute name (e.g. "xml:lang").
inline QXmlStreamReaderPrivate::FastScanNameResult
QXmlStreamReaderPrivate::fastScanName(Value *val)
{ {
qsizetype n = 0; qsizetype n = 0;
uint c; uint c;
@ -1304,7 +1306,8 @@ inline qsizetype QXmlStreamReaderPrivate::fastScanName(Value *val)
if (n >= 4096) { if (n >= 4096) {
// This is too long to be a sensible name, and // This is too long to be a sensible name, and
// can exhaust memory, or the range of decltype(*prefix) // can exhaust memory, or the range of decltype(*prefix)
return 0; raiseNamePrefixTooLongError();
return {};
} }
switch (c) { switch (c) {
case '\n': case '\n':
@ -1338,18 +1341,18 @@ inline qsizetype QXmlStreamReaderPrivate::fastScanName(Value *val)
putChar(':'); putChar(':');
--n; --n;
} }
return n; return FastScanNameResult(n);
case ':': case ':':
if (val) { if (val) {
if (val->prefix == 0) { if (val->prefix == 0) {
val->prefix = qint16(n + 2); val->prefix = qint16(n + 2);
} else { // only one colon allowed according to the namespace spec. } else { // only one colon allowed according to the namespace spec.
putChar(c); putChar(c);
return n; return FastScanNameResult(n);
} }
} else { } else {
putChar(c); putChar(c);
return n; return FastScanNameResult(n);
} }
Q_FALLTHROUGH(); Q_FALLTHROUGH();
default: default:
@ -1363,7 +1366,7 @@ inline qsizetype QXmlStreamReaderPrivate::fastScanName(Value *val)
qsizetype pos = textBuffer.size() - n; qsizetype pos = textBuffer.size() - n;
putString(textBuffer, pos); putString(textBuffer, pos);
textBuffer.resize(pos); textBuffer.resize(pos);
return 0; return FastScanNameResult(0);
} }
enum NameChar { NameBeginning, NameNotBeginning, NotName }; enum NameChar { NameBeginning, NameNotBeginning, NotName };
@ -1841,6 +1844,14 @@ void QXmlStreamReaderPrivate::raiseWellFormedError(const QString &message)
raiseError(QXmlStreamReader::NotWellFormedError, message); raiseError(QXmlStreamReader::NotWellFormedError, message);
} }
void QXmlStreamReaderPrivate::raiseNamePrefixTooLongError()
{
// TODO: add a ImplementationLimitsExceededError and use it instead
raiseError(QXmlStreamReader::NotWellFormedError,
QXmlStream::tr("Length of XML attribute name exceeds implemnetation limits (4KiB "
"characters)."));
}
void QXmlStreamReaderPrivate::parseError() void QXmlStreamReaderPrivate::parseError()
{ {

View File

@ -1420,7 +1420,11 @@ qname ::= LETTER;
/. /.
case $rule_number: { case $rule_number: {
Value &val = sym(1); Value &val = sym(1);
val.len += fastScanName(&val); if (auto res = fastScanName(&val))
val.len += *res;
else
return false;
if (atEnd) { if (atEnd) {
resume($rule_number); resume($rule_number);
return false; return false;
@ -1431,7 +1435,11 @@ qname ::= LETTER;
name ::= LETTER; name ::= LETTER;
/. /.
case $rule_number: case $rule_number:
sym(1).len += fastScanName(); if (auto res = fastScanName())
sym(1).len += *res;
else
return false;
if (atEnd) { if (atEnd) {
resume($rule_number); resume($rule_number);
return false; return false;

View File

@ -38,7 +38,7 @@ public:
constexpr XmlStringRef() = default; constexpr XmlStringRef() = default;
constexpr inline XmlStringRef(const QString *string, qsizetype pos, qsizetype length) constexpr inline XmlStringRef(const QString *string, qsizetype pos, qsizetype length)
: m_string(string), m_pos(pos), m_size(length) : m_string(string), m_pos(pos), m_size((Q_ASSERT(length >= 0), length))
{ {
} }
XmlStringRef(const QString *string) XmlStringRef(const QString *string)
@ -498,7 +498,16 @@ public:
qsizetype fastScanLiteralContent(); qsizetype fastScanLiteralContent();
qsizetype fastScanSpace(); qsizetype fastScanSpace();
qsizetype fastScanContentCharList(); qsizetype fastScanContentCharList();
qsizetype fastScanName(Value *val = nullptr);
struct FastScanNameResult {
FastScanNameResult() : ok(false) {}
explicit FastScanNameResult(qsizetype len) : addToLen(len), ok(true) { }
operator bool() { return ok; }
qsizetype operator*() { Q_ASSERT(ok); return addToLen; }
qsizetype addToLen;
bool ok;
};
FastScanNameResult fastScanName(Value *val = nullptr);
inline qsizetype fastScanNMTOKEN(); inline qsizetype fastScanNMTOKEN();
@ -507,6 +516,7 @@ public:
void raiseError(QXmlStreamReader::Error error, const QString& message = QString()); void raiseError(QXmlStreamReader::Error error, const QString& message = QString());
void raiseWellFormedError(const QString &message); void raiseWellFormedError(const QString &message);
void raiseNamePrefixTooLongError();
QXmlStreamEntityResolver *entityResolver; QXmlStreamEntityResolver *entityResolver;

View File

@ -948,7 +948,11 @@ bool QXmlStreamReaderPrivate::parse()
case 262: { case 262: {
Value &val = sym(1); Value &val = sym(1);
val.len += fastScanName(&val); if (auto res = fastScanName(&val))
val.len += *res;
else
return false;
if (atEnd) { if (atEnd) {
resume(262); resume(262);
return false; return false;
@ -956,7 +960,11 @@ bool QXmlStreamReaderPrivate::parse()
} break; } break;
case 263: case 263:
sym(1).len += fastScanName(); if (auto res = fastScanName())
sym(1).len += *res;
else
return false;
if (atEnd) { if (atEnd) {
resume(263); resume(263);
return false; return false;

View File

@ -586,6 +586,8 @@ private slots:
void readBack() const; void readBack() const;
void roundTrip() const; void roundTrip() const;
void roundTrip_data() const; void roundTrip_data() const;
void test_fastScanName_data() const;
void test_fastScanName() const;
void entityExpansionLimit() const; void entityExpansionLimit() const;
@ -1828,5 +1830,42 @@ void tst_QXmlStream::roundTrip() const
QCOMPARE(out, in); QCOMPARE(out, in);
} }
void tst_QXmlStream::test_fastScanName_data() const
{
QTest::addColumn<QByteArray>("data");
QTest::addColumn<QXmlStreamReader::Error>("errorType");
// 4096 is the limit in QXmlStreamReaderPrivate::fastScanName()
QByteArray arr = "<a"_ba + ":" + QByteArray("b").repeated(4096 - 1);
QTest::newRow("data1") << arr << QXmlStreamReader::PrematureEndOfDocumentError;
arr = "<a"_ba + ":" + QByteArray("b").repeated(4096);
QTest::newRow("data2") << arr << QXmlStreamReader::NotWellFormedError;
arr = "<"_ba + QByteArray("a").repeated(4000) + ":" + QByteArray("b").repeated(96);
QTest::newRow("data3") << arr << QXmlStreamReader::PrematureEndOfDocumentError;
arr = "<"_ba + QByteArray("a").repeated(4000) + ":" + QByteArray("b").repeated(96 + 1);
QTest::newRow("data4") << arr << QXmlStreamReader::NotWellFormedError;
arr = "<"_ba + QByteArray("a").repeated(4000 + 1) + ":" + QByteArray("b").repeated(96);
QTest::newRow("data5") << arr << QXmlStreamReader::NotWellFormedError;
}
void tst_QXmlStream::test_fastScanName() const
{
QFETCH(QByteArray, data);
QFETCH(QXmlStreamReader::Error, errorType);
QXmlStreamReader reader(data);
QXmlStreamReader::TokenType tokenType;
while (!reader.atEnd())
tokenType = reader.readNext();
QCOMPARE(tokenType, QXmlStreamReader::Invalid);
QCOMPARE(reader.error(), errorType);
}
#include "tst_qxmlstream.moc" #include "tst_qxmlstream.moc"
// vim: et:ts=4:sw=4:sts=4 // vim: et:ts=4:sw=4:sts=4