AuroraMiddleware/qt5base-lts
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

QAsn1Element: Read value in blocks to avoid oom at wrong length

Browse Source 
Fixes oss-fuzz issue 22272.

Pick-to: 5.15
Change-Id: I8a49b9487f632469402c983e517e817e8e65bef7
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
This commit is contained in:
Robert Loehning 2020-11-05 13:52:39 +01:00
parent 7b1bbdb10c
commit ad9ca01853
1 changed files with 13 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
src/network/ssl/qasn1element.cpp
View File

@ -120,12 +120,20 @@ bool QAsn1Element::read(QDataStream &stream)
if (length > quint64(std::numeric_limits<int>::max())) if (length > quint64(std::numeric_limits<int>::max()))
return false; return false;
// value
// read value in blocks to avoid being fooled by incorrect length
const int BUFFERSIZE = 4 * 1024;
QByteArray tmpValue; QByteArray tmpValue;
tmpValue.resize(length); int remainingLength = length;
int count = stream.readRawData(tmpValue.data(), tmpValue.size()); while (remainingLength) {
if (count != int(length)) char readBuffer[BUFFERSIZE];
return false; const int bytesToRead = qMin(remainingLength, BUFFERSIZE);
const int count = stream.readRawData(readBuffer, bytesToRead);
if (count != int(bytesToRead))
return false;
tmpValue.append(readBuffer, bytesToRead);
remainingLength -= bytesToRead;
}
mType = tmpType; mType = tmpType;
mValue.swap(tmpValue); mValue.swap(tmpValue);