summaryrefslogtreecommitdiffstats
path: root/src/corelib/serialization/qxmlstream_p.h
Commit message (Collapse)AuthorAgeFilesLines
* Add an expansion limit for entitiesLars Knoll2020-02-261-1/+13
| | | | | | | | | | | | | | | | | | | | | Recursively defined entities can easily exhaust all available memory. Limit entity expansion to a default of 4096 characters to avoid DoS attacks when a user loads untrusted content. Added a setter and getter to allow modifying the expansion limit. [ChangeLog][QtCore][QXmlStream] QXmlStreamReader does now by default limit the expansion of entities to 4096 characters. Documents where a single entity expands to more characters than the limit are not considered well formed. The limit is there to avoid DoS attacks through recursively expanding entities when loading untrusted content. The limit can be changed through the QXmlStreamReader::setEntityExpansionLimit() method. Fixes: QTBUG-47417 Change-Id: I94387815d74fcf34783e136387ee57fac5ded0c9 Reviewed-by: Oswald Buddenhagen <oswald.buddenhagen@gmx.de> Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
* QXmlStreamReader: fix memory leakGiuseppe D'Angelo2020-01-231-1/+1
| | | | | | | | | | | | | On some inputs a QXmlStreamReaderPrivate may allocate another QXmlStreamReaderPrivate as its entityResolver. Which, recursively, may allocate yet another one. This "chain" of QXmlStreamReaderPrivate objects was managed using raw pointers, and a leak was possible by resetting one of these pointers to nullptr without freeing the corresponding object. Change-Id: I2c6e1f023a2ed68b2b1857db25c53cce7f6bd3e7 Reviewed-by: Sona Kurazyan <sona.kurazyan@qt.io>
* More nullptr usage in headersKevin Funk2019-03-141-5/+5
| | | | | | | | | | | Diff generated by running clang-tidy's modernize-use-nullptr checker on the CMake-based Qt version. Skipping src/3rdparty, examples/, tests/ Change-Id: Ib182074e2e2fd52f63093f73b3e2e4c0cb7af188 Reviewed-by: Friedemann Kleint <Friedemann.Kleint@qt.io> Reviewed-by: Simon Hausmann <simon.hausmann@qt.io>
* Modernize the "textcodec" featureLiang Qi2018-11-071-2/+2
| | | | | | | | | Also clean up QTextCodec usage in qmake build and some includes of qtextcodec.h. Change-Id: I0475b82690024054add4e85a8724c8ea3adcf62a Reviewed-by: Edward Welbourne <edward.welbourne@qt.io> Reviewed-by: Oswald Buddenhagen <oswald.buddenhagen@qt.io>
* Fix possible heap corruption in QXmlStreamAllan Sandfeld Jensen2018-08-131-1/+1
| | | | | | | | | The value of 'tos' at the check might already be on the last element, so triggering stack expansion on the second last element is too late. Change-Id: Ib3ab2662d4d27a71effe9e988b9e172923af2908 Reviewed-by: Richard J. Moore <rich@kde.org> Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
* Reapply 403343039d07812c0beee9260b291f86e14d8ac4 on 5.11Liang Qi2018-02-231-1/+2
| | | | | | | | | | | This change amends 305dd1b61f657474d751cc3b24f58249ec21b61b, which lost 40334303 and brought src/corelib/xml/qxmlstream_p.h back. In a6b697ca13945a174cff9f3e9b1af1cf61c0bea5, it was moved to src/corelib/serialization/qxmlstream_p.h in 5.11. Change-Id: Ia1e9841b866ff49f7274b1b13fd224c0a20a017e Reviewed-by: Ville Voutilainen <ville.voutilainen@qt.io> Reviewed-by: Friedemann Kleint <Friedemann.Kleint@qt.io>
* Create corelib/serialization and move existing file formats into itThiago Macieira2018-01-261-0/+1972
This is in preparation to adding CBOR support. We don't need yet another dir for CBOR and placing it in src/corelib/json is just wrong. Change-Id: I9741f017961b410c910dfffd14ffb9d870340fa6 Reviewed-by: Oswald Buddenhagen <oswald.buddenhagen@qt.io> Reviewed-by: Lars Knoll <lars.knoll@qt.io>
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-14 15:51:58 +0000