TDE
/
tqt3
mirror of https://mirror.git.trinitydesktop.org/gitea/TDE/tqt3
0
0
Fork 0
Code Issues Releases Wiki Activity

Fix security issue CVE-2013-4549

Browse Source 
[taken from RedHat Qt3 patches]
(cherry picked from commit cc46bf4ecb)
r14.0.x
Slávek Banko 10 years ago
parent 6d346d4d84
commit 9577716fc3
2 changed files with 70 additions and 0 deletions
Show Stats Download Patch File Download Diff File

7
src/xml/ntqxml.h
Unescape View File

@ -307,6 +307,12 @@ private:
TQXmlSimpleReaderPrivate* d; TQXmlSimpleReaderPrivate* d;
// The limit to the amount of times the DTD parsing functions can be called
// for the DTD currently being parsed.
static const uint dtdRecursionLimit = 2U;
// The maximum amount of characters an entity value may contain, after expansion.
static const uint entityCharacterLimit = 65536U;
const TQString &string(); const TQString &string();
void stringClear(); void stringClear();
inline void stringAddC() { stringAddC(c); } inline void stringAddC() { stringAddC(c); }
@ -378,6 +384,7 @@ private:
void unexpectedEof( ParseFunction where, int state ); void unexpectedEof( ParseFunction where, int state );
void parseFailed( ParseFunction where, int state ); void parseFailed( ParseFunction where, int state );
void pushParseState( ParseFunction function, int state ); void pushParseState( ParseFunction function, int state );
bool isExpandedEntityValueTooLarge(TQString *errorMessage);
void setUndefEntityInAttrHack(bool b); void setUndefEntityInAttrHack(bool b);

63
src/xml/qxml.cpp
Unescape View File

@ -4529,6 +4529,11 @@ bool TQXmlSimpleReader::parseDoctype()
} }
break; break;
case Mup: case Mup:
if (dtdRecursionLimit > 0U && d->parameterEntities.size() > dtdRecursionLimit) {
reportParseError(TQString::fromLatin1(
"DTD parsing exceeded recursion limit of %1.").arg(dtdRecursionLimit));
return FALSE;
}
if ( !parseMarkupdecl() ) { if ( !parseMarkupdecl() ) {
parseFailed( &TQXmlSimpleReader::parseDoctype, state ); parseFailed( &TQXmlSimpleReader::parseDoctype, state );
return FALSE; return FALSE;
@ -6128,6 +6133,58 @@ bool TQXmlSimpleReader::parseChoiceSeq()
} }
} }
bool TQXmlSimpleReader::isExpandedEntityValueTooLarge(TQString *errorMessage)
{
TQMap<TQString, uint> literalEntitySizes;
// The entity at (TQMap<TQString,) referenced the entities at (TQMap<TQString,) (uint>) times.
TQMap<TQString, TQMap<TQString, uint> > referencesToOtherEntities;
TQMap<TQString, uint> expandedSizes;
// For every entity, check how many times all entity names were referenced in its value.
TQMap<TQString,TQString>::ConstIterator toSearchIterator;
for (toSearchIterator = d->entities.begin(); toSearchIterator != d->entities.end(); ++toSearchIterator) {
TQString toSearch = toSearchIterator.key();
// The amount of characters that weren't entity names, but literals, like 'X'.
TQString leftOvers = toSearchIterator.data();
TQMap<TQString,TQString>::ConstIterator entityNameIterator;
// How many times was entityName referenced by toSearch?
for (entityNameIterator = d->entities.begin(); entityNameIterator != d->entities.end(); ++entityNameIterator) {
TQString entityName = entityNameIterator.key();
for (int i = 0; i >= 0 && (uint) i < leftOvers.length(); ) {
i = leftOvers.find(TQString::fromLatin1("&%1;").arg(entityName), i);
if (i != -1) {
leftOvers.remove(i, entityName.length() + 2U);
// The entityName we're currently trying to find was matched in this string; increase our count.
++referencesToOtherEntities[toSearch][entityName];
}
}
}
literalEntitySizes[toSearch] = leftOvers.length();
}
TQMap<TQString, TQMap<TQString, uint> >::ConstIterator entityIterator;
for (entityIterator = referencesToOtherEntities.begin(); entityIterator != referencesToOtherEntities.end(); ++entityIterator) {
TQString entity = entityIterator.key();
expandedSizes[entity] = literalEntitySizes[entity];
TQMap<TQString, uint>::ConstIterator referenceToIterator;
for (referenceToIterator = entityIterator.data().begin(); referenceToIterator != entityIterator.data().end(); ++referenceToIterator) {
TQString referenceTo = referenceToIterator.key();
const uint references = referenceToIterator.data();
// The total size of an entity's value is the expanded size of all of its referenced entities, plus its literal size.
expandedSizes[entity] += expandedSizes[referenceTo] * references + literalEntitySizes[referenceTo] * references;
}
if (expandedSizes[entity] > entityCharacterLimit) {
if (errorMessage) {
*errorMessage = TQString::fromLatin1("The XML entity \"%1\" expands to a string that is too large to process (%2 characters > %3).");
*errorMessage = (*errorMessage).arg(entity).arg(expandedSizes[entity]).arg(entityCharacterLimit);
}
return TRUE;
}
}
return FALSE;
}
/* /*
Parse a EntityDecl [70]. Parse a EntityDecl [70].
@ -6222,6 +6279,12 @@ bool TQXmlSimpleReader::parseEntityDecl()
switch ( state ) { switch ( state ) {
case EValue: case EValue:
if ( !entityExist( name() ) ) { if ( !entityExist( name() ) ) {
TQString errorMessage;
if (isExpandedEntityValueTooLarge(&errorMessage)) {
reportParseError(errorMessage);
return FALSE;
}
d->entities.insert( name(), string() ); d->entities.insert( name(), string() );
if ( declHnd ) { if ( declHnd ) {
if ( !declHnd->internalEntityDecl( name(), string() ) ) { if ( !declHnd->internalEntityDecl( name(), string() ) ) {

Write Preview
Loading…
Cancel
Save