diff options
author | hjk <hjk121@nokiamail.com> | 2014-09-15 13:28:58 +0200 |
---|---|---|
committer | hjk <hjk121@nokiamail.com> | 2014-09-16 13:04:59 +0200 |
commit | f14470fa0062a71b9eeac7f6904fbc5d92c133d2 (patch) | |
tree | c136eed20a05c27175807a030177f9cca0c8fec2 /src/corelib/io/qresource.cpp | |
parent | b4da15a5efbd0b30a90f83de164aaf7d70a2ffad (diff) |
Add some minimal size checking for dynamically loaded resources
This covers the case in the bug report, but not much more.
Task-number: QTBUG-21254
Change-Id: Ie191a39ceddd7e58a0d8baf7d01f2a08c70162e5
Reviewed-by: Oswald Buddenhagen <oswald.buddenhagen@digia.com>
Diffstat (limited to 'src/corelib/io/qresource.cpp')
-rw-r--r-- | src/corelib/io/qresource.cpp | 16 |
1 files changed, 13 insertions, 3 deletions
diff --git a/src/corelib/io/qresource.cpp b/src/corelib/io/qresource.cpp index bfd0eef64f..ac57818e21 100644 --- a/src/corelib/io/qresource.cpp +++ b/src/corelib/io/qresource.cpp @@ -884,7 +884,13 @@ public: virtual QString mappingRoot() const { return root; } virtual ResourceRootType type() const { return Resource_Buffer; } - bool registerSelf(const uchar *b) { + // size == -1 means "unknown" + bool registerSelf(const uchar *b, int size) + { + // 5 int "pointers" + if (size >= 0 && size < 20) + return false; + //setup the data now int offset = 0; @@ -911,6 +917,10 @@ public: (b[offset+2] << 8) + (b[offset+3] << 0); offset += 4; + // Some sanity checking for sizes. This is _not_ a security measure. + if (size >= 0 && (tree_offset >= size || data_offset >= size || name_offset >= size)) + return false; + if(version == 0x01) { buffer = b; setSource(b+tree_offset, b+name_offset, b+data_offset); @@ -1017,7 +1027,7 @@ public: } fromMM = false; } - if(data && QDynamicBufferResourceRoot::registerSelf(data)) { + if (data && QDynamicBufferResourceRoot::registerSelf(data, data_len)) { if(fromMM) { unmapPointer = data; unmapLength = data_len; @@ -1132,7 +1142,7 @@ QResource::registerResource(const uchar *rccData, const QString &resourceRoot) } QDynamicBufferResourceRoot *root = new QDynamicBufferResourceRoot(r); - if(root->registerSelf(rccData)) { + if (root->registerSelf(rccData, -1)) { root->ref.ref(); QMutexLocker lock(resourceMutex()); resourceList()->append(root); |