summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSlávek Banko <slavek.banko@axis.cz>2015-03-09 22:30:32 +0100
committerSlávek Banko <slavek.banko@axis.cz>2015-03-09 22:34:03 +0100
commitcc46bf4ecb4a9b79f4a11d08a68b09e6871dc1a6 (patch)
treed3a4eb389746d40e54f20c6f85f49081f79ed2b1
parentdfb87398c72e9248aa709ae212e6ab7f2209003d (diff)
downloadtqt3-cc46bf4e.tar.gz
tqt3-cc46bf4e.zip
Fix security issue CVE-2013-4549
[taken from RedHat Qt3 patches]
-rw-r--r--src/xml/ntqxml.h7
-rw-r--r--src/xml/qxml.cpp63
2 files changed, 70 insertions, 0 deletions
diff --git a/src/xml/ntqxml.h b/src/xml/ntqxml.h
index cc4d2391..f729b6ab 100644
--- a/src/xml/ntqxml.h
+++ b/src/xml/ntqxml.h
@@ -307,6 +307,12 @@ private:
TQXmlSimpleReaderPrivate* d;
+ // The limit to the amount of times the DTD parsing functions can be called
+ // for the DTD currently being parsed.
+ static const uint dtdRecursionLimit = 2U;
+ // The maximum amount of characters an entity value may contain, after expansion.
+ static const uint entityCharacterLimit = 65536U;
+
const TQString &string();
void stringClear();
inline void stringAddC() { stringAddC(c); }
@@ -378,6 +384,7 @@ private:
void unexpectedEof( ParseFunction where, int state );
void parseFailed( ParseFunction where, int state );
void pushParseState( ParseFunction function, int state );
+ bool isExpandedEntityValueTooLarge(TQString *errorMessage);
void setUndefEntityInAttrHack(bool b);
diff --git a/src/xml/qxml.cpp b/src/xml/qxml.cpp
index f57920e6..e29e027f 100644
--- a/src/xml/qxml.cpp
+++ b/src/xml/qxml.cpp
@@ -4529,6 +4529,11 @@ bool TQXmlSimpleReader::parseDoctype()
}
break;
case Mup:
+ if (dtdRecursionLimit > 0U && d->parameterEntities.size() > dtdRecursionLimit) {
+ reportParseError(TQString::fromLatin1(
+ "DTD parsing exceeded recursion limit of %1.").arg(dtdRecursionLimit));
+ return FALSE;
+ }
if ( !parseMarkupdecl() ) {
parseFailed( &TQXmlSimpleReader::parseDoctype, state );
return FALSE;
@@ -6128,6 +6133,58 @@ bool TQXmlSimpleReader::parseChoiceSeq()
}
}
+bool TQXmlSimpleReader::isExpandedEntityValueTooLarge(TQString *errorMessage)
+{
+ TQMap<TQString, uint> literalEntitySizes;
+ // The entity at (TQMap<TQString,) referenced the entities at (TQMap<TQString,) (uint>) times.
+ TQMap<TQString, TQMap<TQString, uint> > referencesToOtherEntities;
+ TQMap<TQString, uint> expandedSizes;
+
+ // For every entity, check how many times all entity names were referenced in its value.
+ TQMap<TQString,TQString>::ConstIterator toSearchIterator;
+ for (toSearchIterator = d->entities.begin(); toSearchIterator != d->entities.end(); ++toSearchIterator) {
+ TQString toSearch = toSearchIterator.key();
+ // The amount of characters that weren't entity names, but literals, like 'X'.
+ TQString leftOvers = toSearchIterator.data();
+ TQMap<TQString,TQString>::ConstIterator entityNameIterator;
+ // How many times was entityName referenced by toSearch?
+ for (entityNameIterator = d->entities.begin(); entityNameIterator != d->entities.end(); ++entityNameIterator) {
+ TQString entityName = entityNameIterator.key();
+ for (int i = 0; i >= 0 && (uint) i < leftOvers.length(); ) {
+ i = leftOvers.find(TQString::fromLatin1("&%1;").arg(entityName), i);
+ if (i != -1) {
+ leftOvers.remove(i, entityName.length() + 2U);
+ // The entityName we're currently trying to find was matched in this string; increase our count.
+ ++referencesToOtherEntities[toSearch][entityName];
+ }
+ }
+ }
+ literalEntitySizes[toSearch] = leftOvers.length();
+ }
+
+ TQMap<TQString, TQMap<TQString, uint> >::ConstIterator entityIterator;
+ for (entityIterator = referencesToOtherEntities.begin(); entityIterator != referencesToOtherEntities.end(); ++entityIterator) {
+ TQString entity = entityIterator.key();
+ expandedSizes[entity] = literalEntitySizes[entity];
+ TQMap<TQString, uint>::ConstIterator referenceToIterator;
+ for (referenceToIterator = entityIterator.data().begin(); referenceToIterator != entityIterator.data().end(); ++referenceToIterator) {
+ TQString referenceTo = referenceToIterator.key();
+ const uint references = referenceToIterator.data();
+ // The total size of an entity's value is the expanded size of all of its referenced entities, plus its literal size.
+ expandedSizes[entity] += expandedSizes[referenceTo] * references + literalEntitySizes[referenceTo] * references;
+ }
+
+ if (expandedSizes[entity] > entityCharacterLimit) {
+ if (errorMessage) {
+ *errorMessage = TQString::fromLatin1("The XML entity \"%1\" expands to a string that is too large to process (%2 characters > %3).");
+ *errorMessage = (*errorMessage).arg(entity).arg(expandedSizes[entity]).arg(entityCharacterLimit);
+ }
+ return TRUE;
+ }
+ }
+ return FALSE;
+}
+
/*
Parse a EntityDecl [70].
@@ -6222,6 +6279,12 @@ bool TQXmlSimpleReader::parseEntityDecl()
switch ( state ) {
case EValue:
if ( !entityExist( name() ) ) {
+ TQString errorMessage;
+ if (isExpandedEntityValueTooLarge(&errorMessage)) {
+ reportParseError(errorMessage);
+ return FALSE;
+ }
+
d->entities.insert( name(), string() );
if ( declHnd ) {
if ( !declHnd->internalEntityDecl( name(), string() ) ) {