diff options
author | Slávek Banko <[email protected]> | 2015-03-09 22:30:32 +0100 |
---|---|---|
committer | Slávek Banko <[email protected]> | 2015-03-09 22:38:31 +0100 |
commit | 9577716fc34938519a9c57c262efec35bdb3c0d6 (patch) | |
tree | 0301539f2d5d4380695cc4d7512b9d4f05e6ecab /src/xml | |
parent | 6d346d4d84e88aa98ee5f06e94b64199c992213e (diff) | |
download | tqt3-9577716fc34938519a9c57c262efec35bdb3c0d6.tar.gz tqt3-9577716fc34938519a9c57c262efec35bdb3c0d6.zip |
Fix security issue CVE-2013-4549
[taken from RedHat Qt3 patches]
(cherry picked from commit cc46bf4ecb4a9b79f4a11d08a68b09e6871dc1a6)
Diffstat (limited to 'src/xml')
-rw-r--r-- | src/xml/ntqxml.h | 7 | ||||
-rw-r--r-- | src/xml/qxml.cpp | 63 |
2 files changed, 70 insertions, 0 deletions
diff --git a/src/xml/ntqxml.h b/src/xml/ntqxml.h index cc4d23910..f729b6abc 100644 --- a/src/xml/ntqxml.h +++ b/src/xml/ntqxml.h @@ -307,6 +307,12 @@ private: TQXmlSimpleReaderPrivate* d; + // The limit to the amount of times the DTD parsing functions can be called + // for the DTD currently being parsed. + static const uint dtdRecursionLimit = 2U; + // The maximum amount of characters an entity value may contain, after expansion. + static const uint entityCharacterLimit = 65536U; + const TQString &string(); void stringClear(); inline void stringAddC() { stringAddC(c); } @@ -378,6 +384,7 @@ private: void unexpectedEof( ParseFunction where, int state ); void parseFailed( ParseFunction where, int state ); void pushParseState( ParseFunction function, int state ); + bool isExpandedEntityValueTooLarge(TQString *errorMessage); void setUndefEntityInAttrHack(bool b); diff --git a/src/xml/qxml.cpp b/src/xml/qxml.cpp index f57920e62..e29e027fa 100644 --- a/src/xml/qxml.cpp +++ b/src/xml/qxml.cpp @@ -4529,6 +4529,11 @@ bool TQXmlSimpleReader::parseDoctype() } break; case Mup: + if (dtdRecursionLimit > 0U && d->parameterEntities.size() > dtdRecursionLimit) { + reportParseError(TQString::fromLatin1( + "DTD parsing exceeded recursion limit of %1.").arg(dtdRecursionLimit)); + return FALSE; + } if ( !parseMarkupdecl() ) { parseFailed( &TQXmlSimpleReader::parseDoctype, state ); return FALSE; @@ -6128,6 +6133,58 @@ bool TQXmlSimpleReader::parseChoiceSeq() } } +bool TQXmlSimpleReader::isExpandedEntityValueTooLarge(TQString *errorMessage) +{ + TQMap<TQString, uint> literalEntitySizes; + // The entity at (TQMap<TQString,) referenced the entities at (TQMap<TQString,) (uint>) times. + TQMap<TQString, TQMap<TQString, uint> > referencesToOtherEntities; + TQMap<TQString, uint> expandedSizes; + + // For every entity, check how many times all entity names were referenced in its value. + TQMap<TQString,TQString>::ConstIterator toSearchIterator; + for (toSearchIterator = d->entities.begin(); toSearchIterator != d->entities.end(); ++toSearchIterator) { + TQString toSearch = toSearchIterator.key(); + // The amount of characters that weren't entity names, but literals, like 'X'. + TQString leftOvers = toSearchIterator.data(); + TQMap<TQString,TQString>::ConstIterator entityNameIterator; + // How many times was entityName referenced by toSearch? + for (entityNameIterator = d->entities.begin(); entityNameIterator != d->entities.end(); ++entityNameIterator) { + TQString entityName = entityNameIterator.key(); + for (int i = 0; i >= 0 && (uint) i < leftOvers.length(); ) { + i = leftOvers.find(TQString::fromLatin1("&%1;").arg(entityName), i); + if (i != -1) { + leftOvers.remove(i, entityName.length() + 2U); + // The entityName we're currently trying to find was matched in this string; increase our count. + ++referencesToOtherEntities[toSearch][entityName]; + } + } + } + literalEntitySizes[toSearch] = leftOvers.length(); + } + + TQMap<TQString, TQMap<TQString, uint> >::ConstIterator entityIterator; + for (entityIterator = referencesToOtherEntities.begin(); entityIterator != referencesToOtherEntities.end(); ++entityIterator) { + TQString entity = entityIterator.key(); + expandedSizes[entity] = literalEntitySizes[entity]; + TQMap<TQString, uint>::ConstIterator referenceToIterator; + for (referenceToIterator = entityIterator.data().begin(); referenceToIterator != entityIterator.data().end(); ++referenceToIterator) { + TQString referenceTo = referenceToIterator.key(); + const uint references = referenceToIterator.data(); + // The total size of an entity's value is the expanded size of all of its referenced entities, plus its literal size. + expandedSizes[entity] += expandedSizes[referenceTo] * references + literalEntitySizes[referenceTo] * references; + } + + if (expandedSizes[entity] > entityCharacterLimit) { + if (errorMessage) { + *errorMessage = TQString::fromLatin1("The XML entity \"%1\" expands to a string that is too large to process (%2 characters > %3)."); + *errorMessage = (*errorMessage).arg(entity).arg(expandedSizes[entity]).arg(entityCharacterLimit); + } + return TRUE; + } + } + return FALSE; +} + /* Parse a EntityDecl [70]. @@ -6222,6 +6279,12 @@ bool TQXmlSimpleReader::parseEntityDecl() switch ( state ) { case EValue: if ( !entityExist( name() ) ) { + TQString errorMessage; + if (isExpandedEntityValueTooLarge(&errorMessage)) { + reportParseError(errorMessage); + return FALSE; + } + d->entities.insert( name(), string() ); if ( declHnd ) { if ( !declHnd->internalEntityDecl( name(), string() ) ) { |