diff options
| author | Robert Loehning <robert.loehning@qt.io> | 2020-11-05 13:52:39 +0100 |
|---|---|---|
| committer | Qt Cherry-pick Bot <cherrypick_bot@qt-project.org> | 2020-11-11 09:58:36 +0000 |
| commit | ce87b6cac7b97989f83a9c6e095cdf8efa42228d (patch) | |
| tree | 3cb0ebc60ad7297d8dfcc7160bb98e7e71d78eeb /src/network | |
| parent | 126605f4e9044546d691817832682a5e981ec6cd (diff) | |
QAsn1Element: Read value in blocks to avoid oom at wrong length
Fixes oss-fuzz issue 22272.
Change-Id: I8a49b9487f632469402c983e517e817e8e65bef7
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
(cherry picked from commit ad9ca01853e90bdbe45f7ac2e8edd75cd0862801)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
Diffstat (limited to 'src/network')
| -rw-r--r-- | src/network/ssl/qasn1element.cpp | 18 |
1 files changed, 13 insertions, 5 deletions
diff --git a/src/network/ssl/qasn1element.cpp b/src/network/ssl/qasn1element.cpp index 5634332a67..d7b6aa8bd6 100644 --- a/src/network/ssl/qasn1element.cpp +++ b/src/network/ssl/qasn1element.cpp @@ -142,12 +142,20 @@ bool QAsn1Element::read(QDataStream &stream) if (length > quint64(std::numeric_limits<int>::max())) return false; - // value + + // read value in blocks to avoid being fooled by incorrect length + const int BUFFERSIZE = 4 * 1024; QByteArray tmpValue; - tmpValue.resize(length); - int count = stream.readRawData(tmpValue.data(), tmpValue.size()); - if (count != int(length)) - return false; + int remainingLength = length; + while (remainingLength) { + char readBuffer[BUFFERSIZE]; + const int bytesToRead = qMin(remainingLength, BUFFERSIZE); + const int count = stream.readRawData(readBuffer, bytesToRead); + if (count != int(bytesToRead)) + return false; + tmpValue.append(readBuffer, bytesToRead); + remainingLength -= bytesToRead; + } mType = tmpType; mValue.swap(tmpValue); |