diff options
| author | Thiago Macieira <thiago.macieira@intel.com> | 2020-03-07 07:38:51 -0800 |
|---|---|---|
| committer | Thiago Macieira <thiago.macieira@intel.com> | 2020-03-25 16:21:47 -0300 |
| commit | 02d595946faa7a21f6aa4109227f7e90db20ae7a (patch) | |
| tree | 48a281e33a5f72c50998d87f315264e6bddc3f36 /tests/auto | |
| parent | b7da66132bdd196c4f0b0e0fdf53f9e3b9a8bdaf (diff) | |
QCborValue::fromCbor: Apply a recursion limit to decoding
A simple 16k file can produce deep enough recursion in Qt to cause stack
overflow. So prevent that.
I tested 4096 recursions just fine on my Linux system (8 MB stack), but
decided 1024 was sufficient, as this code will also be run on embedded
systems that could have smaller stacks.
[ChangeLog][QtCore][QCborValue] fromCbor() now limits decoding to at
most 1024 nested maps, arrays, and tags to prevent stack overflows. This
should be sufficient for most uses of CBOR. An API to limit further or
to relax the limit will be provided in 5.15. Meanwhile, if decoding more
is required, QCborStreamReader can be used (note that each level of map
and array allocates memory).
Change-Id: Iaa63461109844e978376fffd15fa0fbefbf607a2
Reviewed-by: Lars Knoll <lars.knoll@qt.io>
Diffstat (limited to 'tests/auto')
| -rw-r--r-- | tests/auto/corelib/serialization/qcborvalue/tst_qcborvalue.cpp | 54 |
1 files changed, 54 insertions, 0 deletions
diff --git a/tests/auto/corelib/serialization/qcborvalue/tst_qcborvalue.cpp b/tests/auto/corelib/serialization/qcborvalue/tst_qcborvalue.cpp index d5a9012f9f..49bb9cc144 100644 --- a/tests/auto/corelib/serialization/qcborvalue/tst_qcborvalue.cpp +++ b/tests/auto/corelib/serialization/qcborvalue/tst_qcborvalue.cpp @@ -102,6 +102,8 @@ private slots: void fromCborStreamReaderIODevice(); void validation_data(); void validation(); + void recursionLimit_data(); + void recursionLimit(); void toDiagnosticNotation_data(); void toDiagnosticNotation(); @@ -1720,6 +1722,58 @@ void tst_QCborValue::validation() } } +void tst_QCborValue::recursionLimit_data() +{ + constexpr int RecursionAttempts = 4096; + QTest::addColumn<QByteArray>("data"); + QByteArray arrays(RecursionAttempts, char(0x81)); + QByteArray _arrays(RecursionAttempts, char(0x9f)); + QByteArray maps(RecursionAttempts, char(0xa1)); + QByteArray _maps(RecursionAttempts, char(0xbf)); + QByteArray tags(RecursionAttempts, char(0xc0)); + + QTest::newRow("array-nesting-too-deep") << arrays; + QTest::newRow("_array-nesting-too-deep") << _arrays; + QTest::newRow("map-nesting-too-deep") << maps; + QTest::newRow("_map-nesting-too-deep") << _maps; + QTest::newRow("tag-nesting-too-deep") << tags; + + QByteArray mixed(5 * RecursionAttempts, Qt::Uninitialized); + char *ptr = mixed.data(); + for (int i = 0; i < RecursionAttempts; ++i) { + quint8 type = qBound(quint8(QCborStreamReader::Array), quint8(i & 0x80), quint8(QCborStreamReader::Tag)); + quint8 additional_info = i & 0x1f; + if (additional_info == 0x1f) + (void)additional_info; // leave it + else if (additional_info > 0x1a) + additional_info = 0x1a; + else if (additional_info < 1) + additional_info = 1; + + *ptr++ = type | additional_info; + if (additional_info == 0x18) { + *ptr++ = uchar(i); + } else if (additional_info == 0x19) { + qToBigEndian(ushort(i), ptr); + ptr += 2; + } else if (additional_info == 0x1a) { + qToBigEndian(uint(i), ptr); + ptr += 4; + } + } + + QTest::newRow("mixed-nesting-too-deep") << mixed; +} + +void tst_QCborValue::recursionLimit() +{ + QFETCH(QByteArray, data); + + QCborParserError error; + QCborValue decoded = QCborValue::fromCbor(data, &error); + QCOMPARE(error.error, QCborError::NestingTooDeep); +} + void tst_QCborValue::toDiagnosticNotation_data() { QTest::addColumn<QCborValue>("v"); |