Don't create a QTimeZonePrivate object for an unsupported time zone ID

The QTzTimeZoneCache created one cache entry for every time zone
which was looked up, even if the code was invalid. This uses some
memory for each time zone code queried and thus allows DOS attacks
if user supplied time zone codes are parsed.
This patch prevents the creation of QTimeZonePrivate objects for
invalid time zone IDs.

Change-Id: I22007f6681bea54fa08639f4f786e1a49d10f920
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>

1 files changed, 7 insertions, 2 deletions

diff --git a/src/corelib/time/qtimezone.cpp b/src/corelib/time/qtimezone.cpp
index f2a7eea0f8..44b6662b5b 100644
--- a/src/corelib/time/qtimezone.cpp
+++ b/src/corelib/time/qtimezone.cpp
@@ -466,8 +466,13 @@ QTimeZone::QTimeZone(const QByteArray &ianaId)
     d = new QUtcTimeZonePrivate(ianaId);
     // If not a CLDR UTC offset ID then try creating it with the system backend.
     // Relies on backend not creating valid TZ with invalid name.
-    if (!d->isValid())
-        d = ianaId.isEmpty() ? newBackendTimeZone() : newBackendTimeZone(ianaId);
+    if (!d->isValid()) {
+        if (ianaId.isEmpty())
+            d = newBackendTimeZone();
+        else if (global_tz->backend->isTimeZoneIdAvailable(ianaId))
+            d = newBackendTimeZone(ianaId);
+        // else: No such ID, avoid creating a TZ cache entry for it.
+    }
     // Can also handle UTC with arbitrary (valid) offset, but only do so as
     // fall-back, since either of the above may handle it more informatively.
     if (!d->isValid()) {