QAsn1Element: Read value in blocks to avoid oom at wrong length
Fixes oss-fuzz issue 22272. Pick-to: 5.15 Change-Id: I8a49b9487f632469402c983e517e817e8e65bef7 Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
This commit is contained in:
parent
7b1bbdb10c
commit
ad9ca01853
@ -120,12 +120,20 @@ bool QAsn1Element::read(QDataStream &stream)
|
||||
|
||||
if (length > quint64(std::numeric_limits<int>::max()))
|
||||
return false;
|
||||
// value
|
||||
|
||||
// read value in blocks to avoid being fooled by incorrect length
|
||||
const int BUFFERSIZE = 4 * 1024;
|
||||
QByteArray tmpValue;
|
||||
tmpValue.resize(length);
|
||||
int count = stream.readRawData(tmpValue.data(), tmpValue.size());
|
||||
if (count != int(length))
|
||||
int remainingLength = length;
|
||||
while (remainingLength) {
|
||||
char readBuffer[BUFFERSIZE];
|
||||
const int bytesToRead = qMin(remainingLength, BUFFERSIZE);
|
||||
const int count = stream.readRawData(readBuffer, bytesToRead);
|
||||
if (count != int(bytesToRead))
|
||||
return false;
|
||||
tmpValue.append(readBuffer, bytesToRead);
|
||||
remainingLength -= bytesToRead;
|
||||
}
|
||||
|
||||
mType = tmpType;
|
||||
mValue.swap(tmpValue);
|
||||
|
Loading…
Reference in New Issue
Block a user