1berry/qtbase
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

q_getTimeFromASN1: fix invalid access

Browse Source 
No sanitizer is needed, just looking at the code is enough.
It was wrong.

Change-Id: I9df417c137d6b3361c3161865e099a8be40860de
Reviewed-by: Lars Knoll <lars.knoll@qt.io>
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
(cherry picked from commit ad68ecf1d967f8e60c19c28a2bc23daf15389076)
This commit is contained in:
Timur Pocheptsov 2020-03-18 19:54:33 +01:00
parent 2c6524167e
commit 02f8657ca2
1 changed files with 17 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
src/network/ssl/qsslsocket_openssl_symbols.cpp
View File

@ -1421,6 +1421,9 @@ QDateTime q_getTimeFromASN1(const ASN1_TIME *aTime)
{
size_t lTimeLength = aTime->length;
char *pString = (char *) aTime->data;
auto isValidPointer = [pString, lTimeLength](const char *const probe){
return size_t(probe - pString) < lTimeLength;
};
if (aTime->type == V_ASN1_UTCTIME) {
@ -1439,12 +1442,21 @@ QDateTime q_getTimeFromASN1(const ASN1_TIME *aTime)
*pBuffer++ = '0';
} else {
*pBuffer++ = *pString++;
if (!isValidPointer(pString)) // Nah.
return {};
*pBuffer++ = *pString++;
if (!isValidPointer(pString)) // Nah.
return {};
// Skip any fractional seconds...
if (*pString == '.') {
pString++;
while ((*pString >= '0') && (*pString <= '9'))
if (!isValidPointer(pString)) // Oh no, cannot dereference (see below).
return {};
while ((*pString >= '0') && (*pString <= '9')) {
pString++;
if (!isValidPointer(pString)) // No and no.
return {};
}
}
}
@ -1458,6 +1470,10 @@ QDateTime q_getTimeFromASN1(const ASN1_TIME *aTime)
if ((*pString != '+') && (*pString != '-'))
return QDateTime();
if (!isValidPointer(pString + 4)) {
// What kind of input parameters we were provided with? To hell with them!
return {};
}
lSecondsFromUCT = ((pString[1] - '0') * 10 + (pString[2] - '0')) * 60;
lSecondsFromUCT += (pString[3] - '0') * 10 + (pString[4] - '0');
lSecondsFromUCT *= 60;