From 8a5267e4d96438aa74672ca1bf25d187c6c45bd2 Mon Sep 17 00:00:00 2001 From: Thiago Macieira Date: Mon, 2 Jul 2018 22:38:57 -0700 Subject: Plugins: fix crash if the binary JSON data contains invalid size Eight bytes into the Binary JSON header there's a 32-bit little-endian size, which qJsonFromRawLibraryMetaData uses to determine the size of the stored metadata. That value is passed as a size to QByteArray, which means certain values could cause crashes due to being too big or via sign-extension in 64-bit. [ChangeLog][QtCore][QPluginLoader] Fixed an issue that could cause a crash when certain damaged or corrupt plugin files were scanned. Change-Id: I117816bf0f5e469b8d34fffd153dc5425cec39a7 Reviewed-by: Simon Hausmann --- src/corelib/plugin/qfactoryloader.cpp | 24 ++++++++++++++++++++++++ src/corelib/plugin/qfactoryloader_p.h | 9 +-------- src/corelib/plugin/qlibrary.cpp | 5 +++-- src/corelib/plugin/qpluginloader.cpp | 6 +++++- 4 files changed, 33 insertions(+), 11 deletions(-) (limited to 'src') diff --git a/src/corelib/plugin/qfactoryloader.cpp b/src/corelib/plugin/qfactoryloader.cpp index a4be18a67f..dc1424fd0c 100644 --- a/src/corelib/plugin/qfactoryloader.cpp +++ b/src/corelib/plugin/qfactoryloader.cpp @@ -1,6 +1,7 @@ /**************************************************************************** ** ** Copyright (C) 2016 The Qt Company Ltd. +** Copyright (C) 2018 Intel Corporation. ** Contact: https://www.qt.io/licensing/ ** ** This file is part of the QtCore module of the Qt Toolkit. @@ -58,6 +59,29 @@ QT_BEGIN_NAMESPACE +static inline int metaDataSignatureLength() +{ + return sizeof("QTMETADATA ") - 1; +} + +QJsonDocument qJsonFromRawLibraryMetaData(const char *raw, qsizetype sectionSize) +{ + raw += metaDataSignatureLength(); + sectionSize -= metaDataSignatureLength(); + + // the size of the embedded JSON object can be found 8 bytes into the data (see qjson_p.h) + uint size = qFromLittleEndian(raw + 8); + // but the maximum size of binary JSON is 128 MB + size = qMin(size, 128U * 1024 * 1024); + // and it doesn't include the size of the header (8 bytes) + size += 8; + // finally, it can't be bigger than the file or section size + size = qMin(sectionSize, qsizetype(size)); + + QByteArray json(raw, size); + return QJsonDocument::fromBinaryData(json); +} + class QFactoryLoaderPrivate : public QObjectPrivate { Q_DECLARE_PUBLIC(QFactoryLoader) diff --git a/src/corelib/plugin/qfactoryloader_p.h b/src/corelib/plugin/qfactoryloader_p.h index 7be18942ae..fe722999ae 100644 --- a/src/corelib/plugin/qfactoryloader_p.h +++ b/src/corelib/plugin/qfactoryloader_p.h @@ -66,14 +66,7 @@ QT_BEGIN_NAMESPACE -inline QJsonDocument qJsonFromRawLibraryMetaData(const char *raw) -{ - raw += strlen("QTMETADATA "); - // the size of the embedded JSON object can be found 8 bytes into the data (see qjson_p.h), - // but doesn't include the size of the header (8 bytes) - QByteArray json(raw, qFromLittleEndian(*(const uint *)(raw + 8)) + 8); - return QJsonDocument::fromBinaryData(json); -} +QJsonDocument qJsonFromRawLibraryMetaData(const char *raw, qsizetype size); class QFactoryLoaderPrivate; class Q_CORE_EXPORT QFactoryLoader : public QObject diff --git a/src/corelib/plugin/qlibrary.cpp b/src/corelib/plugin/qlibrary.cpp index 31abeaffe4..5256a09ff2 100644 --- a/src/corelib/plugin/qlibrary.cpp +++ b/src/corelib/plugin/qlibrary.cpp @@ -317,7 +317,7 @@ static bool findPatternUnloaded(const QString &library, QLibraryPrivate *lib) if (pos >= 0) { if (hasMetaData) { const char *data = filedata + pos; - QJsonDocument doc = qJsonFromRawLibraryMetaData(data); + QJsonDocument doc = qJsonFromRawLibraryMetaData(data, qsizetype(fdlen)); lib->metaData = doc.object(); if (qt_debug_component()) qWarning("Found metadata in lib %s, metadata=\n%s\n", @@ -691,7 +691,8 @@ static bool qt_get_metadata(QtPluginQueryVerificationDataFunction pfn, QLibraryP if (!szData) return false; - QJsonDocument doc = qJsonFromRawLibraryMetaData(szData); + // the data is already loaded, so the size doesn't matter + QJsonDocument doc = qJsonFromRawLibraryMetaData(szData, INT_MAX); if (doc.isNull()) return false; priv->metaData = doc.object(); diff --git a/src/corelib/plugin/qpluginloader.cpp b/src/corelib/plugin/qpluginloader.cpp index aab00cc7eb..83cbcd2b44 100644 --- a/src/corelib/plugin/qpluginloader.cpp +++ b/src/corelib/plugin/qpluginloader.cpp @@ -1,6 +1,7 @@ /**************************************************************************** ** ** Copyright (C) 2016 The Qt Company Ltd. +** Copyright (C) 2018 Intel Corporation. ** Contact: https://www.qt.io/licensing/ ** ** This file is part of the QtCore module of the Qt Toolkit. @@ -474,7 +475,10 @@ QVector QPluginLoader::staticPlugins() */ QJsonObject QStaticPlugin::metaData() const { - return qJsonFromRawLibraryMetaData(rawMetaData()).object(); + // the data is already loaded, so this doesn't matter + qsizetype rawMetaDataSize = INT_MAX; + + return qJsonFromRawLibraryMetaData(rawMetaData(), rawMetaDataSize).object(); } QT_END_NAMESPACE -- cgit v1.2.3