diff options
| author | Ahmad Samir <a.samirh78@gmail.com> | 2023-06-22 15:56:07 +0300 |
|---|---|---|
| committer | Ahmad Samir <a.samirh78@gmail.com> | 2023-06-29 18:32:19 +0300 |
| commit | 8695e64c637112d22c748df1ad026dcc03dccb8d (patch) | |
| tree | fccf4eb9d0d71247fed558195465d745e87deff4 /tests | |
| parent | 53a5f9acaae261a949353a0189300e71e7400f67 (diff) | |
QXmlStreamReader: make fastScanName() indicate parsing status to callers
This fixes a crash while parsing an XML file with garbage data, the file
starts with '<' then garbage data:
- The loop in the parse() keeps iterating until it hits "case 262:",
which calls fastScanName()
- fastScanName() iterates over the text buffer scanning for the
attribute name (e.g. "xml:lang"), until it finds ':'
- Consider a Value val, fastScanName() is called on it, it would set
val.prefix to a number > val.len, then it would hit the 4096 condition
and return (returned 0, now it returns the equivalent of
std::null_opt), which means that val.len doesn't get modified, making
it smaller than val.prefix
- The code would try constructing an XmlStringRef with negative length,
which would hit an assert in one of QStringView's constructors
Add an assert to the XmlStringRef constructor.
Add unittest based on the file from the bug report.
Later on I will replace FastScanNameResult with std::optional<qsizetype>
(std::optional is C++17, which isn't required by Qt 5.15, and we want to
backport this fix).
Credit to OSS-Fuzz.
Fixes: QTBUG-109781
Fixes: QTBUG-114829
Change-Id: I455a5eeb47870c2ac9ffd0cbcdcd99c1ae2dd374
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
(cherry picked from commit 6326bec46a618c72feba4a2bb994c4d475050aed)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
(cherry picked from commit 7e9210a83203975f21fa133fc4bf5d691acf9b23)
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/auto/corelib/serialization/qxmlstream/tst_qxmlstream.cpp | 39 |
1 files changed, 39 insertions, 0 deletions
diff --git a/tests/auto/corelib/serialization/qxmlstream/tst_qxmlstream.cpp b/tests/auto/corelib/serialization/qxmlstream/tst_qxmlstream.cpp index 52025f7e23..b7f603c71f 100644 --- a/tests/auto/corelib/serialization/qxmlstream/tst_qxmlstream.cpp +++ b/tests/auto/corelib/serialization/qxmlstream/tst_qxmlstream.cpp @@ -585,6 +585,8 @@ private slots: void readBack() const; void roundTrip() const; void roundTrip_data() const; + void test_fastScanName_data() const; + void test_fastScanName() const; void entityExpansionLimit() const; @@ -1816,5 +1818,42 @@ void tst_QXmlStream::roundTrip() const QCOMPARE(out, in); } +void tst_QXmlStream::test_fastScanName_data() const +{ + QTest::addColumn<QByteArray>("data"); + QTest::addColumn<QXmlStreamReader::Error>("errorType"); + + // 4096 is the limit in QXmlStreamReaderPrivate::fastScanName() + + QByteArray arr = "<a"_ba + ":" + QByteArray("b").repeated(4096 - 1); + QTest::newRow("data1") << arr << QXmlStreamReader::PrematureEndOfDocumentError; + + arr = "<a"_ba + ":" + QByteArray("b").repeated(4096); + QTest::newRow("data2") << arr << QXmlStreamReader::NotWellFormedError; + + arr = "<"_ba + QByteArray("a").repeated(4000) + ":" + QByteArray("b").repeated(96); + QTest::newRow("data3") << arr << QXmlStreamReader::PrematureEndOfDocumentError; + + arr = "<"_ba + QByteArray("a").repeated(4000) + ":" + QByteArray("b").repeated(96 + 1); + QTest::newRow("data4") << arr << QXmlStreamReader::NotWellFormedError; + + arr = "<"_ba + QByteArray("a").repeated(4000 + 1) + ":" + QByteArray("b").repeated(96); + QTest::newRow("data5") << arr << QXmlStreamReader::NotWellFormedError; +} + +void tst_QXmlStream::test_fastScanName() const +{ + QFETCH(QByteArray, data); + QFETCH(QXmlStreamReader::Error, errorType); + + QXmlStreamReader reader(data); + QXmlStreamReader::TokenType tokenType; + while (!reader.atEnd()) + tokenType = reader.readNext(); + + QCOMPARE(tokenType, QXmlStreamReader::Invalid); + QCOMPARE(reader.error(), errorType); +} + #include "tst_qxmlstream.moc" // vim: et:ts=4:sw=4:sts=4 |