From ad9ca01853e90bdbe45f7ac2e8edd75cd0862801 Mon Sep 17 00:00:00 2001 From: Robert Loehning Date: Thu, 5 Nov 2020 13:52:39 +0100 Subject: [PATCH] QAsn1Element: Read value in blocks to avoid oom at wrong length Fixes oss-fuzz issue 22272. Pick-to: 5.15 Change-Id: I8a49b9487f632469402c983e517e817e8e65bef7 Reviewed-by: Allan Sandfeld Jensen --- src/network/ssl/qasn1element.cpp | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/src/network/ssl/qasn1element.cpp b/src/network/ssl/qasn1element.cpp index 65a0e08961..13fc095e12 100644 --- a/src/network/ssl/qasn1element.cpp +++ b/src/network/ssl/qasn1element.cpp @@ -120,12 +120,20 @@ bool QAsn1Element::read(QDataStream &stream) if (length > quint64(std::numeric_limits::max())) return false; - // value + + // read value in blocks to avoid being fooled by incorrect length + const int BUFFERSIZE = 4 * 1024; QByteArray tmpValue; - tmpValue.resize(length); - int count = stream.readRawData(tmpValue.data(), tmpValue.size()); - if (count != int(length)) - return false; + int remainingLength = length; + while (remainingLength) { + char readBuffer[BUFFERSIZE]; + const int bytesToRead = qMin(remainingLength, BUFFERSIZE); + const int count = stream.readRawData(readBuffer, bytesToRead); + if (count != int(bytesToRead)) + return false; + tmpValue.append(readBuffer, bytesToRead); + remainingLength -= bytesToRead; + } mType = tmpType; mValue.swap(tmpValue);