diff options
| author | Thiago Macieira <thiago.macieira@intel.com> | 2018-07-02 22:38:57 -0700 |
|---|---|---|
| committer | Simon Hausmann <simon.hausmann@qt.io> | 2018-07-19 07:27:02 +0000 |
| commit | 8a5267e4d96438aa74672ca1bf25d187c6c45bd2 (patch) | |
| tree | abb5b76025fac8489a68fae3d61708ba3c3ef930 /src/corelib/plugin/qfactoryloader.cpp | |
| parent | 3c2ffd7457688bd8ae9d5fca688843e2029504b2 (diff) | |
Plugins: fix crash if the binary JSON data contains invalid size
Eight bytes into the Binary JSON header there's a 32-bit little-endian
size, which qJsonFromRawLibraryMetaData uses to determine the size of
the stored metadata. That value is passed as a size to QByteArray, which
means certain values could cause crashes due to being too big or via
sign-extension in 64-bit.
[ChangeLog][QtCore][QPluginLoader] Fixed an issue that could cause a
crash when certain damaged or corrupt plugin files were scanned.
Change-Id: I117816bf0f5e469b8d34fffd153dc5425cec39a7
Reviewed-by: Simon Hausmann <simon.hausmann@qt.io>
Diffstat (limited to 'src/corelib/plugin/qfactoryloader.cpp')
| -rw-r--r-- | src/corelib/plugin/qfactoryloader.cpp | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/src/corelib/plugin/qfactoryloader.cpp b/src/corelib/plugin/qfactoryloader.cpp index a4be18a67f..dc1424fd0c 100644 --- a/src/corelib/plugin/qfactoryloader.cpp +++ b/src/corelib/plugin/qfactoryloader.cpp @@ -1,6 +1,7 @@ /**************************************************************************** ** ** Copyright (C) 2016 The Qt Company Ltd. +** Copyright (C) 2018 Intel Corporation. ** Contact: https://www.qt.io/licensing/ ** ** This file is part of the QtCore module of the Qt Toolkit. @@ -58,6 +59,29 @@ QT_BEGIN_NAMESPACE +static inline int metaDataSignatureLength() +{ + return sizeof("QTMETADATA ") - 1; +} + +QJsonDocument qJsonFromRawLibraryMetaData(const char *raw, qsizetype sectionSize) +{ + raw += metaDataSignatureLength(); + sectionSize -= metaDataSignatureLength(); + + // the size of the embedded JSON object can be found 8 bytes into the data (see qjson_p.h) + uint size = qFromLittleEndian<uint>(raw + 8); + // but the maximum size of binary JSON is 128 MB + size = qMin(size, 128U * 1024 * 1024); + // and it doesn't include the size of the header (8 bytes) + size += 8; + // finally, it can't be bigger than the file or section size + size = qMin(sectionSize, qsizetype(size)); + + QByteArray json(raw, size); + return QJsonDocument::fromBinaryData(json); +} + class QFactoryLoaderPrivate : public QObjectPrivate { Q_DECLARE_PUBLIC(QFactoryLoader) |