QAsn1Element: Read value in blocks to avoid oom at wrong length

Fixes oss-fuzz issue 22272.

Pick-to: 5.15
Change-Id: I8a49b9487f632469402c983e517e817e8e65bef7
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>

src/network/ssl/qasn1element.cpp

@@ -120,12 +120,20 @@ bool QAsn1Element::read(QDataStream &stream)
 
     if (length > quint64(std::numeric_limits<int>::max()))
         return false;
-    // value
+
+    // read value in blocks to avoid being fooled by incorrect length
+    const int BUFFERSIZE = 4 * 1024;
     QByteArray tmpValue;
-    tmpValue.resize(length);
-    int count = stream.readRawData(tmpValue.data(), tmpValue.size());
-    if (count != int(length))
-        return false;
+    int remainingLength = length;
+    while (remainingLength) {
+        char readBuffer[BUFFERSIZE];
+        const int bytesToRead = qMin(remainingLength, BUFFERSIZE);
+        const int count = stream.readRawData(readBuffer, bytesToRead);
+        if (count != int(bytesToRead))
+            return false;
+        tmpValue.append(readBuffer, bytesToRead);
+        remainingLength -= bytesToRead;
+    }
 
     mType = tmpType;
     mValue.swap(tmpValue);