Add some minimal size checking for dynamically loaded resources

This covers the case in the bug report, but not much more. Task-number: QTBUG-21254 Change-Id: Ie191a39ceddd7e58a0d8baf7d01f2a08c70162e5 Reviewed-by: Oswald Buddenhagen <oswald.buddenhagen@digia.com>
author: hjk <hjk121@nokiamail.com> 2014-09-15 13:28:58 +0200
committer: hjk <hjk121@nokiamail.com> 2014-09-16 13:04:59 +0200
commit: f14470fa0062a71b9eeac7f6904fbc5d92c133d2 (patch)
tree: c136eed20a05c27175807a030177f9cca0c8fec2 /src/corelib/io/qresource.cpp
parent: b4da15a5efbd0b30a90f83de164aaf7d70a2ffad (diff)
1 files changed, 13 insertions, 3 deletions
diff --git a/src/corelib/io/qresource.cpp b/src/corelib/io/qresource.cpp
index bfd0eef64f..ac57818e21 100644
--- a/src/corelib/io/qresource.cpp
+++ b/src/corelib/io/qresource.cpp
@@ -884,7 +884,13 @@ public:
     virtual QString mappingRoot() const { return root; }
     virtual ResourceRootType type() const { return Resource_Buffer; }
 
-    bool registerSelf(const uchar *b) {
+    // size == -1 means "unknown"
+    bool registerSelf(const uchar *b, int size)
+    {
+        // 5 int "pointers"
+        if (size >= 0 && size < 20)
+            return false;
+
         //setup the data now
         int offset = 0;
 
@@ -911,6 +917,10 @@ public:
                                 (b[offset+2] << 8) + (b[offset+3] << 0);
         offset += 4;
 
+        // Some sanity checking for sizes. This is _not_ a security measure.
+        if (size >= 0 && (tree_offset >= size || data_offset >= size || name_offset >= size))
+            return false;
+
         if(version == 0x01) {
             buffer = b;
             setSource(b+tree_offset, b+name_offset, b+data_offset);
@@ -1017,7 +1027,7 @@ public:
             }
             fromMM = false;
         }
-        if(data && QDynamicBufferResourceRoot::registerSelf(data)) {
+        if (data && QDynamicBufferResourceRoot::registerSelf(data, data_len)) {
             if(fromMM) {
                 unmapPointer = data;
                 unmapLength = data_len;
@@ -1132,7 +1142,7 @@ QResource::registerResource(const uchar *rccData, const QString &resourceRoot)
     }
 
     QDynamicBufferResourceRoot *root = new QDynamicBufferResourceRoot(r);
-    if(root->registerSelf(rccData)) {
+    if (root->registerSelf(rccData, -1)) {
         root->ref.ref();
         QMutexLocker lock(resourceMutex());
         resourceList()->append(root);
author	hjk <hjk121@nokiamail.com>	2014-09-15 13:28:58 +0200
committer	hjk <hjk121@nokiamail.com>	2014-09-16 13:04:59 +0200
commit	f14470fa0062a71b9eeac7f6904fbc5d92c133d2 (patch)
tree	c136eed20a05c27175807a030177f9cca0c8fec2 /src/corelib/io/qresource.cpp
parent	b4da15a5efbd0b30a90f83de164aaf7d70a2ffad (diff)