diff options
author | Timur Pocheptsov <timur.pocheptsov@qt.io> | 2017-11-28 11:44:11 +0100 |
---|---|---|
committer | Timur Pocheptsov <timur.pocheptsov@qt.io> | 2017-12-01 15:05:41 +0000 |
commit | 306c32f50e289c401e4636976c97dc2b40fdd69b (patch) | |
tree | 8776008a1493536c06313de16c125b3d568f3029 /src/corelib/animation | |
parent | fbda8acc922217745bb3e7754d1cd450a0e0165a (diff) |
Fix out of bounds reads in qdnslookup_unix
When the response from res_nquery is too big for the buffer used to receive it
(of size PACKETSZ, a mere 512 bytes), the returned responseLength is the
size of the data that would have been delivered, had there been enough space.
Trying to process all of the data, including what wasn't delivered, leads to
reading past the end of the buffer, which either causes a crash or leads to
rubbish (from the stack) in the resulting QDnsRecords. Easy to reproduce
using many long TXT records.
Replace the array with a QVarLengthArray; when the response is big, resize()
and retry, so as to actually get all of the data, so that we can process
it all. A follow-up patch will fix the case when even the second call/resize
buffer is not enough and we have to use TCP.
Task-number: QTBUG-64742
Change-Id: I173beb531e11a3828fd9c97f437afc192766035e
Reviewed-by: MÃ¥rten Nordheim <marten.nordheim@qt.io>
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
Diffstat (limited to 'src/corelib/animation')
0 files changed, 0 insertions, 0 deletions