diff options
author | Mitch Curtis <mitch.curtis@qt.io> | 2020-03-20 11:18:17 +0100 |
---|---|---|
committer | Mitch Curtis <mitch.curtis@qt.io> | 2020-03-20 11:28:14 +0100 |
commit | 69a5be7ef0475ba748ffbe50017c73e44a23a051 (patch) | |
tree | d29043898dba33596e3eb2ee51645b3330a87a88 /src/network/ssl/qsslsocket_openssl_symbols.cpp | |
parent | 0359a82e6ef538316e550e7fa7c6dee8db72a225 (diff) | |
parent | fcbbe7ff21a263f7fafb189caff4b662d4da7eda (diff) |
Merge remote-tracking branch 'origin/5.14' into 5.15
Change-Id: Ib2a2e3a292af43be3a980c2ccc943c08f4bbf72f
Diffstat (limited to 'src/network/ssl/qsslsocket_openssl_symbols.cpp')
-rw-r--r-- | src/network/ssl/qsslsocket_openssl_symbols.cpp | 18 |
1 files changed, 17 insertions, 1 deletions
diff --git a/src/network/ssl/qsslsocket_openssl_symbols.cpp b/src/network/ssl/qsslsocket_openssl_symbols.cpp index 84422e9c8f..6fe602a79e 100644 --- a/src/network/ssl/qsslsocket_openssl_symbols.cpp +++ b/src/network/ssl/qsslsocket_openssl_symbols.cpp @@ -1187,6 +1187,9 @@ QDateTime q_getTimeFromASN1(const ASN1_TIME *aTime) { size_t lTimeLength = aTime->length; char *pString = (char *) aTime->data; + auto isValidPointer = [pString, lTimeLength](const char *const probe){ + return size_t(probe - pString) < lTimeLength; + }; if (aTime->type == V_ASN1_UTCTIME) { @@ -1205,12 +1208,21 @@ QDateTime q_getTimeFromASN1(const ASN1_TIME *aTime) *pBuffer++ = '0'; } else { *pBuffer++ = *pString++; + if (!isValidPointer(pString)) // Nah. + return {}; *pBuffer++ = *pString++; + if (!isValidPointer(pString)) // Nah. + return {}; // Skip any fractional seconds... if (*pString == '.') { pString++; - while ((*pString >= '0') && (*pString <= '9')) + if (!isValidPointer(pString)) // Oh no, cannot dereference (see below). + return {}; + while ((*pString >= '0') && (*pString <= '9')) { pString++; + if (!isValidPointer(pString)) // No and no. + return {}; + } } } @@ -1224,6 +1236,10 @@ QDateTime q_getTimeFromASN1(const ASN1_TIME *aTime) if ((*pString != '+') && (*pString != '-')) return QDateTime(); + if (!isValidPointer(pString + 4)) { + // What kind of input parameters we were provided with? To hell with them! + return {}; + } lSecondsFromUCT = ((pString[1] - '0') * 10 + (pString[2] - '0')) * 60; lSecondsFromUCT += (pString[3] - '0') * 10 + (pString[4] - '0'); lSecondsFromUCT *= 60; |