Головна сторінка Огляд Довідка
Реєстрація Увійти
XCAppCollection
/
XCVMKit-OS
2
0
Відгалуження 0
Файли Проблеми 0 Запити на злиття 0 Wiki
Гілка: master
Гілки Теги
XCVMKit-OS
/
package
/
qt6
/
qt6base
/
0013-QXmlStreamReader-make-fastScanName-indicate-parsing-.patch

0013-QXmlStreamReader-make-fastScanName-indicate-parsing-.patch 10 KB
Постійне посилання Історія Запис

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277 
  1. From 87f0d5c9212df3087b053a36165453f10205924d Mon Sep 17 00:00:00 2001
    2. 

  2. From: Ahmad Samir <a.samirh78@gmail.com>
    3. 

  3. Date: Thu, 22 Jun 2023 15:56:07 +0300
    4. 

  4. Subject: [PATCH] QXmlStreamReader: make fastScanName() indicate parsing status
    5. 

  5.  to callers
    6. 

  6. 

  7. This fixes a crash while parsing an XML file with garbage data, the file
    8. 

  8. starts with '<' then garbage data:
    9. 

  9. - The loop in the parse() keeps iterating until it hits "case 262:",
    10. 

  10.   which calls fastScanName()
    11. 

  11. - fastScanName() iterates over the text buffer scanning for the
    12. 

  12.   attribute name (e.g. "xml:lang"), until it finds ':'
    13. 

  13. - Consider a Value val, fastScanName() is called on it, it would set
    14. 

  14.   val.prefix to a number > val.len, then it would hit the 4096 condition
    15. 

  15.   and return (returned 0, now it returns the equivalent of
    16. 

  16.   std::null_opt), which means that val.len doesn't get modified, making
    17. 

  17.   it smaller than val.prefix
    18. 

  18. - The code would try constructing an XmlStringRef with negative length,
    19. 

  19.   which would hit an assert in one of QStringView's constructors
    20. 

  20. 

  21. Add an assert to the XmlStringRef constructor.
    22. 

  22. 

  23. Add unittest based on the file from the bug report.
    24. 

  24. 

  25. Later on I will replace FastScanNameResult with std::optional<qsizetype>
    26. 

  26. (std::optional is C++17, which isn't required by Qt 5.15, and we want to
    27. 

  27. backport this fix).
    28. 

  28. 

  29. Credit to OSS-Fuzz.
    30. 

  30. 

  31. Fixes: QTBUG-109781
    32. 

  32. Fixes: QTBUG-114829
    33. 

  33. Pick-to: 6.6 6.5 6.2 5.15
    34. 

  34. Change-Id: I455a5eeb47870c2ac9ffd0cbcdcd99c1ae2dd374
    35. 

  35. Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
    36. 

  36. 

  37. Fixes: https://security-tracker.debian.org/tracker/CVE-2023-37369
    38. 

  38. Upstream: https://github.com/qt/qtbase/commit/6326bec46a618c72feba4a2bb994c4d475050aed
    39. 

  39. Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
    40. 

  40. ---
    41. 

  41.  src/corelib/serialization/qxmlstream.cpp      | 23 ++++++++---
    42. 

  42.  src/corelib/serialization/qxmlstream.g        | 12 +++++-
    43. 

  43.  src/corelib/serialization/qxmlstream_p.h      | 14 ++++++-
    44. 

  44.  .../serialization/qxmlstreamparser_p.h        | 12 +++++-
    45. 

  45.  .../qxmlstream/tst_qxmlstream.cpp             | 39 +++++++++++++++++++
    46. 

  46.  5 files changed, 88 insertions(+), 12 deletions(-)
    47. 

  47. 

  48. diff --git a/src/corelib/serialization/qxmlstream.cpp b/src/corelib/serialization/qxmlstream.cpp
    49. 

  49. index 466f456ee63..2c879fb4c20 100644
    50. 

  50. --- a/src/corelib/serialization/qxmlstream.cpp
    51. 

  51. +++ b/src/corelib/serialization/qxmlstream.cpp
    52. 

  52. @@ -1247,7 +1247,9 @@ inline qsizetype QXmlStreamReaderPrivate::fastScanContentCharList()
    53. 

  53.      return n;
    54. 

  54.  }
    55. 

  55.  
    56. 

  56. -inline qsizetype QXmlStreamReaderPrivate::fastScanName(Value *val)
    57. 

  57. +// Fast scan an XML attribute name (e.g. "xml:lang").
    58. 

  58. +inline QXmlStreamReaderPrivate::FastScanNameResult
    59. 

  59. +QXmlStreamReaderPrivate::fastScanName(Value *val)
    60. 

  60.  {
    61. 

  61.      qsizetype n = 0;
    62. 

  62.      uint c;
    63. 

  63. @@ -1255,7 +1257,8 @@ inline qsizetype QXmlStreamReaderPrivate::fastScanName(Value *val)
    64. 

  64.          if (n >= 4096) {
    65. 

  65.              // This is too long to be a sensible name, and
    66. 

  66.              // can exhaust memory, or the range of decltype(*prefix)
    67. 

  67. -            return 0;
    68. 

  68. +            raiseNamePrefixTooLongError();
    69. 

  69. +            return {};
    70. 

  70.          }
    71. 

  71.          switch (c) {
    72. 

  72.          case '\n':
    73. 

  73. @@ -1289,18 +1292,18 @@ inline qsizetype QXmlStreamReaderPrivate::fastScanName(Value *val)
    74. 

  74.                  putChar(':');
    75. 

  75.                  --n;
    76. 

  76.              }
    77. 

  77. -            return n;
    78. 

  78. +            return FastScanNameResult(n);
    79. 

  79.          case ':':
    80. 

  80.              if (val) {
    81. 

  81.                  if (val->prefix == 0) {
    82. 

  82.                      val->prefix = qint16(n + 2);
    83. 

  83.                  } else { // only one colon allowed according to the namespace spec.
    84. 

  84.                      putChar(c);
    85. 

  85. -                    return n;
    86. 

  86. +                    return FastScanNameResult(n);
    87. 

  87.                  }
    88. 

  88.              } else {
    89. 

  89.                  putChar(c);
    90. 

  90. -                return n;
    91. 

  91. +                return FastScanNameResult(n);
    92. 

  92.              }
    93. 

  93.              Q_FALLTHROUGH();
    94. 

  94.          default:
    95. 

  95. @@ -1314,7 +1317,7 @@ inline qsizetype QXmlStreamReaderPrivate::fastScanName(Value *val)
    96. 

  96.      qsizetype pos = textBuffer.size() - n;
    97. 

  97.      putString(textBuffer, pos);
    98. 

  98.      textBuffer.resize(pos);
    99. 

  99. -    return 0;
    100. 

  100. +    return FastScanNameResult(0);
    101. 

  101.  }
    102. 

  102.  
    103. 

  103.  enum NameChar { NameBeginning, NameNotBeginning, NotName };
    104. 

  104. @@ -1795,6 +1798,14 @@ void QXmlStreamReaderPrivate::raiseWellFormedError(const QString &message)
    105. 

  105.      raiseError(QXmlStreamReader::NotWellFormedError, message);
    106. 

  106.  }
    107. 

  107.  
    108. 

  108. +void QXmlStreamReaderPrivate::raiseNamePrefixTooLongError()
    109. 

  109. +{
    110. 

  110. +    // TODO: add a ImplementationLimitsExceededError and use it instead
    111. 

  111. +    raiseError(QXmlStreamReader::NotWellFormedError,
    112. 

  112. +               QXmlStream::tr("Length of XML attribute name exceeds implemnetation limits (4KiB "
    113. 

  113. +                              "characters)."));
    114. 

  114. +}
    115. 

  115. +
    116. 

  116.  void QXmlStreamReaderPrivate::parseError()
    117. 

  117.  {
    118. 

  118.  
    119. 

  119. diff --git a/src/corelib/serialization/qxmlstream.g b/src/corelib/serialization/qxmlstream.g
    120. 

  120. index f3152bff378..fc122e66811 100644
    121. 

  121. --- a/src/corelib/serialization/qxmlstream.g
    122. 

  122. +++ b/src/corelib/serialization/qxmlstream.g
    123. 

  123. @@ -1420,7 +1420,11 @@ qname ::= LETTER;
    124. 

  124.  /.
    125. 

  125.          case $rule_number: {
    126. 

  126.              Value &val = sym(1);
    127. 

  127. -            val.len += fastScanName(&val);
    128. 

  128. +            if (auto res = fastScanName(&val))
    129. 

  129. +                val.len += *res;
    130. 

  130. +            else
    131. 

  131. +                return false;
    132. 

  132. +
    133. 

  133.              if (atEnd) {
    134. 

  134.                  resume($rule_number);
    135. 

  135.                  return false;
    136. 

  136. @@ -1431,7 +1435,11 @@ qname ::= LETTER;
    137. 

  137.  name ::= LETTER;
    138. 

  138.  /.
    139. 

  139.          case $rule_number:
    140. 

  140. -            sym(1).len += fastScanName();
    141. 

  141. +            if (auto res = fastScanName())
    142. 

  142. +                sym(1).len += *res;
    143. 

  143. +            else
    144. 

  144. +                return false;
    145. 

  145. +
    146. 

  146.              if (atEnd) {
    147. 

  147.                  resume($rule_number);
    148. 

  148.                  return false;
    149. 

  149. diff --git a/src/corelib/serialization/qxmlstream_p.h b/src/corelib/serialization/qxmlstream_p.h
    150. 

  150. index efee742963b..be69921c7c3 100644
    151. 

  151. --- a/src/corelib/serialization/qxmlstream_p.h
    152. 

  152. +++ b/src/corelib/serialization/qxmlstream_p.h
    153. 

  153. @@ -38,7 +38,7 @@ public:
    154. 

  154.  
    155. 

  155.      constexpr XmlStringRef() = default;
    156. 

  156.      constexpr inline XmlStringRef(const QString *string, qsizetype pos, qsizetype length)
    157. 

  157. -        : m_string(string), m_pos(pos), m_size(length)
    158. 

  158. +        : m_string(string), m_pos(pos), m_size((Q_ASSERT(length >= 0), length))
    159. 

  159.      {
    160. 

  160.      }
    161. 

  161.      XmlStringRef(const QString *string)
    162. 

  162. @@ -482,7 +482,16 @@ public:
    163. 

  163.      qsizetype fastScanLiteralContent();
    164. 

  164.      qsizetype fastScanSpace();
    165. 

  165.      qsizetype fastScanContentCharList();
    166. 

  166. -    qsizetype fastScanName(Value *val = nullptr);
    167. 

  167. +
    168. 

  168. +    struct FastScanNameResult {
    169. 

  169. +        FastScanNameResult() : ok(false) {}
    170. 

  170. +        explicit FastScanNameResult(qsizetype len) : addToLen(len), ok(true) { }
    171. 

  171. +        operator bool() { return ok; }
    172. 

  172. +        qsizetype operator*() { Q_ASSERT(ok); return addToLen; }
    173. 

  173. +        qsizetype addToLen;
    174. 

  174. +        bool ok;
    175. 

  175. +    };
    176. 

  176. +    FastScanNameResult fastScanName(Value *val = nullptr);
    177. 

  177.      inline qsizetype fastScanNMTOKEN();
    178. 

  178.  
    179. 

  179.  
    180. 

  180. @@ -491,6 +500,7 @@ public:
    181. 

  181.  
    182. 

  182.      void raiseError(QXmlStreamReader::Error error, const QString& message = QString());
    183. 

  183.      void raiseWellFormedError(const QString &message);
    184. 

  184. +    void raiseNamePrefixTooLongError();
    185. 

  185.  
    186. 

  186.      QXmlStreamEntityResolver *entityResolver;
    187. 

  187.  
    188. 

  188. diff --git a/src/corelib/serialization/qxmlstreamparser_p.h b/src/corelib/serialization/qxmlstreamparser_p.h
    189. 

  189. index 59370a93106..afd83381b3f 100644
    190. 

  190. --- a/src/corelib/serialization/qxmlstreamparser_p.h
    191. 

  191. +++ b/src/corelib/serialization/qxmlstreamparser_p.h
    192. 

  192. @@ -948,7 +948,11 @@ bool QXmlStreamReaderPrivate::parse()
    193. 

  193.  
    194. 

  194.          case 262: {
    195. 

  195.              Value &val = sym(1);
    196. 

  196. -            val.len += fastScanName(&val);
    197. 

  197. +            if (auto res = fastScanName(&val))
    198. 

  198. +                val.len += *res;
    199. 

  199. +            else
    200. 

  200. +                return false;
    201. 

  201. +
    202. 

  202.              if (atEnd) {
    203. 

  203.                  resume(262);
    204. 

  204.                  return false;
    205. 

  205. @@ -956,7 +960,11 @@ bool QXmlStreamReaderPrivate::parse()
    206. 

  206.          } break;
    207. 

  207.  
    208. 

  208.          case 263:
    209. 

  209. -            sym(1).len += fastScanName();
    210. 

  210. +            if (auto res = fastScanName())
    211. 

  211. +                sym(1).len += *res;
    212. 

  212. +            else
    213. 

  213. +                return false;
    214. 

  214. +
    215. 

  215.              if (atEnd) {
    216. 

  216.                  resume(263);
    217. 

  217.                  return false;
    218. 

  218. diff --git a/tests/auto/corelib/serialization/qxmlstream/tst_qxmlstream.cpp b/tests/auto/corelib/serialization/qxmlstream/tst_qxmlstream.cpp
    219. 

  219. index 8d2738700ea..ac41528e2a8 100644
    220. 

  220. --- a/tests/auto/corelib/serialization/qxmlstream/tst_qxmlstream.cpp
    221. 

  221. +++ b/tests/auto/corelib/serialization/qxmlstream/tst_qxmlstream.cpp
    222. 

  222. @@ -581,6 +581,8 @@ private slots:
    223. 

  223.      void readBack() const;
    224. 

  224.      void roundTrip() const;
    225. 

  225.      void roundTrip_data() const;
    226. 

  226. +    void test_fastScanName_data() const;
    227. 

  227. +    void test_fastScanName() const;
    228. 

  228.  
    229. 

  229.      void entityExpansionLimit() const;
    230. 

  230.  
    231. 

  231. @@ -1757,6 +1759,43 @@ void tst_QXmlStream::roundTrip() const
    232. 

  232.      QCOMPARE(out, in);
    233. 

  233.  }
    234. 

  234.  
    235. 

  235. +void tst_QXmlStream::test_fastScanName_data() const
    236. 

  236. +{
    237. 

  237. +    QTest::addColumn<QByteArray>("data");
    238. 

  238. +    QTest::addColumn<QXmlStreamReader::Error>("errorType");
    239. 

  239. +
    240. 

  240. +    // 4096 is the limit in QXmlStreamReaderPrivate::fastScanName()
    241. 

  241. +
    242. 

  242. +    QByteArray arr = "<a"_ba + ":" + QByteArray("b").repeated(4096 - 1);
    243. 

  243. +    QTest::newRow("data1") << arr << QXmlStreamReader::PrematureEndOfDocumentError;
    244. 

  244. +
    245. 

  245. +    arr = "<a"_ba + ":" + QByteArray("b").repeated(4096);
    246. 

  246. +    QTest::newRow("data2") << arr << QXmlStreamReader::NotWellFormedError;
    247. 

  247. +
    248. 

  248. +    arr = "<"_ba + QByteArray("a").repeated(4000) + ":" + QByteArray("b").repeated(96);
    249. 

  249. +    QTest::newRow("data3") << arr << QXmlStreamReader::PrematureEndOfDocumentError;
    250. 

  250. +
    251. 

  251. +    arr = "<"_ba + QByteArray("a").repeated(4000) + ":" + QByteArray("b").repeated(96 + 1);
    252. 

  252. +    QTest::newRow("data4") << arr << QXmlStreamReader::NotWellFormedError;
    253. 

  253. +
    254. 

  254. +    arr = "<"_ba + QByteArray("a").repeated(4000 + 1) + ":" + QByteArray("b").repeated(96);
    255. 

  255. +    QTest::newRow("data5") << arr << QXmlStreamReader::NotWellFormedError;
    256. 

  256. +}
    257. 

  257. +
    258. 

  258. +void tst_QXmlStream::test_fastScanName() const
    259. 

  259. +{
    260. 

  260. +    QFETCH(QByteArray, data);
    261. 

  261. +    QFETCH(QXmlStreamReader::Error, errorType);
    262. 

  262. +
    263. 

  263. +    QXmlStreamReader reader(data);
    264. 

  264. +    QXmlStreamReader::TokenType tokenType;
    265. 

  265. +    while (!reader.atEnd())
    266. 

  266. +        tokenType = reader.readNext();
    267. 

  267. +
    268. 

  268. +    QCOMPARE(tokenType, QXmlStreamReader::Invalid);
    269. 

  269. +    QCOMPARE(reader.error(), errorType);
    270. 

  270. +}
    271. 

  271. +
    272. 

  272.  void tst_QXmlStream::tokenErrorHandling_data() const
    273. 

  273.  {
    274. 

  274.      QTest::addColumn<QString>("fileName");
    275. 

  275. -- 
    276. 

  276. 2.46.0
    277. 

  277.