QAsn1Element: Read value in blocks to avoid oom at wrong length

Fixes oss-fuzz issue 22272.

Pick-to: 5.15
Change-Id: I8a49b9487f632469402c983e517e817e8e65bef7
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
This commit is contained in:
Robert Loehning 2020-11-05 13:52:39 +01:00
parent 7b1bbdb10c
commit ad9ca01853

View File

@ -120,12 +120,20 @@ bool QAsn1Element::read(QDataStream &stream)
if (length > quint64(std::numeric_limits<int>::max()))
return false;
// value
// read value in blocks to avoid being fooled by incorrect length
const int BUFFERSIZE = 4 * 1024;
QByteArray tmpValue;
tmpValue.resize(length);
int count = stream.readRawData(tmpValue.data(), tmpValue.size());
if (count != int(length))
int remainingLength = length;
while (remainingLength) {
char readBuffer[BUFFERSIZE];
const int bytesToRead = qMin(remainingLength, BUFFERSIZE);
const int count = stream.readRawData(readBuffer, bytesToRead);
if (count != int(bytesToRead))
return false;
tmpValue.append(readBuffer, bytesToRead);
remainingLength -= bytesToRead;
}
mType = tmpType;
mValue.swap(tmpValue);