From 6ebef2eb9a6a3630f9142fb040c3f87ba8eeac8e Mon Sep 17 00:00:00 2001 From: Allan Sandfeld Jensen Date: Fri, 1 May 2020 10:35:02 +0200 Subject: [PATCH 1/5] Fix 32bit integer overflow in ICC parsing Change-Id: I98c413374374a6143733860aa9bab1a957cd3b2d Reviewed-by: Thiago Macieira Reviewed-by: Marc Mutz --- src/gui/painting/qicc.cpp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/gui/painting/qicc.cpp b/src/gui/painting/qicc.cpp index 2b5cd58fb18..b7c8e8f824d 100644 --- a/src/gui/painting/qicc.cpp +++ b/src/gui/painting/qicc.cpp @@ -225,7 +225,7 @@ static bool isValidIccProfile(const ICCProfileHeader &header) } // Don't overflow 32bit integers: - if (header.tagCount >= INT32_MAX / sizeof(TagTableEntry)) { + if (header.tagCount >= (INT32_MAX - sizeof(ICCProfileHeader)) / sizeof(TagTableEntry)) { qCWarning(lcIcc, "Failed tag count sanity"); return false; } @@ -629,6 +629,7 @@ bool fromIccProfile(const QByteArray &data, QColorSpace *colorSpace) // Read tag index const TagTableEntry *tagTable = (const TagTableEntry *)(data.constData() + sizeof(ICCProfileHeader)); const qsizetype offsetToData = sizeof(ICCProfileHeader) + header->tagCount * sizeof(TagTableEntry); + Q_ASSERT(offsetToData > 0); if (offsetToData > data.size()) { qCWarning(lcIcc) << "fromIccProfile: failed index size sanity"; return false; From 66908badaca7bd258c00103bc388f0ce3bcf7322 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?M=C3=A5rten=20Nordheim?= Date: Tue, 5 May 2020 10:07:29 +0200 Subject: [PATCH 2/5] Add more deprecation notices to QtNetwork release notes And move the ones that was already there under the QtNetwork point. Change-Id: I4f9641f78c624b1846699292e053ee148178df4a Reviewed-by: Edward Welbourne Reviewed-by: Timur Pocheptsov --- dist/changes-5.15.0 | 26 ++++++++++++-------------- 1 file changed, 12 insertions(+), 14 deletions(-) diff --git a/dist/changes-5.15.0 b/dist/changes-5.15.0 index f8e23303115..c42ff4b84de 100644 --- a/dist/changes-5.15.0 +++ b/dist/changes-5.15.0 @@ -46,23 +46,21 @@ information about a particular change. - QtNetwork: * QNetworkConfigurationManager, QNetworkConfiguration and QNetworkSession are deprecated, to be removed in Qt 6. + * QNetworkAccessManager::activeConfiguration, configuration and + setConfiguration are deprecated, to be removed in Qt 6. + * QNetworkAccessManager::networkAccessible, setNetworkAccessible and + the NetworkAccessibility enum are deprecated, to be removed in Qt 6. + * QLocalSocket::error() (the signal) is deprecated; superseded by + errorOccurred() + * QAbstractSocket::error() (the signal) is deprecated; superseded by + errorOccurred() + * QNetworkReply::error() (the signal) is deprecated; superseded by + errorOccurred() + * [QTBUG-80369] QSslSocket::sslErrors() (the getter) was deprecated and + superseded by sslHandshakeErrors() - - [REVERTED] [QTBUG-80369] QAbstractSocket::error() (the getter) is - deprecated; superseded by socketError(). - - [REVERTED] [QTBUG-80369] QLocalSocket::error() (the getter) is - deprecated; superseded by socketError(). - - [QTBUG-80369] QSslSocket::sslErrors() (the getter) was deprecated and - superseded by sslHandshakeErrors() - - [REVERTED] [QTBUG-80369] QNetworkReply::error() (the getter) was - deprecated; superseded by networkError(). - [QTBUG-81630][QTBUG-80312] QLinkedList is deprecated and will be moved to Qt5Compat in Qt 6. It is recommended to use std::list instead. - - QLocalSocket::error() (the signal) is deprecated; superseded by - errorOccurred() - - QAbstractSocket::error() (the signal) is deprecated; superseded by - errorOccurred() - - QNetworkReply::error() (the signal) is deprecated; superseded by - errorOccurred() See also the various sections below, which include many more deprecations. From 798492ccee75a841dfec0e669a409515f3462350 Mon Sep 17 00:00:00 2001 From: Thiago Macieira Date: Tue, 5 May 2020 11:59:52 -0700 Subject: [PATCH 3/5] QCborValue: catch overflow in QByteArray when decoding chunked strings We checked against integer overflow, but not against overflowing the QByteArray size limit. That caused a std::bad_alloc to be thrown, which is bad when decoding unknown data. QCborStreamReader wasn't affected, since it doesn't merge chunks. Change-Id: I99ab0f318b1c43b89888fffd160c36f495fada87 Reviewed-by: Volker Hilsheimer --- src/corelib/serialization/qcborvalue.cpp | 2 +- .../serialization/cborlargedatavalidation.cpp | 20 +++++++++++++++---- .../qcborvalue/tst_qcborvalue.cpp | 15 +++++++++++++- 3 files changed, 31 insertions(+), 6 deletions(-) diff --git a/src/corelib/serialization/qcborvalue.cpp b/src/corelib/serialization/qcborvalue.cpp index 3bca15d5625..89a928d3480 100644 --- a/src/corelib/serialization/qcborvalue.cpp +++ b/src/corelib/serialization/qcborvalue.cpp @@ -1636,7 +1636,7 @@ void QCborContainerPrivate::decodeStringFromCbor(QCborStreamReader &reader) if (len == rawlen) { auto oldSize = data.size(); auto newSize = oldSize; - if (!add_overflow(newSize, len, &newSize)) { + if (!add_overflow(newSize, len, &newSize) && newSize < MaxByteArraySize) { if (newSize != oldSize) data.resize(newSize); diff --git a/tests/auto/corelib/serialization/cborlargedatavalidation.cpp b/tests/auto/corelib/serialization/cborlargedatavalidation.cpp index 9abfe0f575c..f3b68939579 100644 --- a/tests/auto/corelib/serialization/cborlargedatavalidation.cpp +++ b/tests/auto/corelib/serialization/cborlargedatavalidation.cpp @@ -81,19 +81,31 @@ qint64 LargeIODevice::readData(char *data, qint64 maxlen) void addValidationLargeData(qsizetype minInvalid, qsizetype maxInvalid) { - char toolong[2 + sizeof(qsizetype)] = { char(0x81) }; + char toolong[1 + sizeof(qsizetype)]; for (qsizetype v = maxInvalid; v >= minInvalid; --v) { // 0x5a for 32-bit, 0x5b for 64-bit - toolong[1] = sizeof(v) > 4 ? 0x5b : 0x5a; - qToBigEndian(v, toolong + 2); + toolong[0] = sizeof(v) > 4 ? 0x5b : 0x5a; + qToBigEndian(v, toolong + 1); QTest::addRow("bytearray-too-big-for-qbytearray-%llx", v) << QByteArray(toolong, sizeof(toolong)) << 0 << CborErrorDataTooLarge; - toolong[1] |= 0x20; + QTest::addRow("bytearray-chunked-too-big-for-qbytearray-%llx", v) + << ('\x5f' + QByteArray(toolong, sizeof(toolong)) + '\xff') + << 0 << CborErrorDataTooLarge; + QTest::addRow("bytearray-2chunked-too-big-for-qbytearray-%llx", v) + << ("\x5f\x40" + QByteArray(toolong, sizeof(toolong)) + '\xff') + << 0 << CborErrorDataTooLarge; + toolong[0] |= 0x20; // QCborStreamReader::readString copies to a QByteArray first QTest::addRow("string-too-big-for-qbytearray-%llx", v) << QByteArray(toolong, sizeof(toolong)) << 0 << CborErrorDataTooLarge; + QTest::addRow("string-chunked-too-big-for-qbytearray-%llx", v) + << ('\x7f' + QByteArray(toolong, sizeof(toolong)) + '\xff') + << 0 << CborErrorDataTooLarge; + QTest::addRow("string-2chunked-too-big-for-qbytearray-%llx", v) + << ("\x7f\x60" + QByteArray(toolong, sizeof(toolong)) + '\xff') + << 0 << CborErrorDataTooLarge; } } diff --git a/tests/auto/corelib/serialization/qcborvalue/tst_qcborvalue.cpp b/tests/auto/corelib/serialization/qcborvalue/tst_qcborvalue.cpp index 9c1341e252d..1379cc348da 100644 --- a/tests/auto/corelib/serialization/qcborvalue/tst_qcborvalue.cpp +++ b/tests/auto/corelib/serialization/qcborvalue/tst_qcborvalue.cpp @@ -1926,11 +1926,24 @@ void tst_QCborValue::validation_data() // Add QCborStreamReader-specific limitations due to use of QByteArray and // QString, which are allocated by QArrayData::allocate(). const qsizetype MaxInvalid = std::numeric_limits::max(); - const qsizetype MinInvalid = MaxByteArraySize + 1; + const qsizetype MinInvalid = MaxByteArraySize + 1 - sizeof(QByteArray::size_type); addValidationColumns(); addValidationData(MinInvalid); addValidationLargeData(MinInvalid, MaxInvalid); + // Chunked strings whose total overflows the limit, but each individual + // chunk doesn't. 0x5a for 32-bit, 0x5b for 64-bit. + char toolong[1 + sizeof(qsizetype)]; + toolong[0] = sizeof(MinInvalid) > 4 ? 0x5b : 0x5a; + qToBigEndian(MinInvalid - 1, toolong + 1); + QTest::addRow("bytearray-2chunked+1-too-big-for-qbytearray-%llx", MinInvalid) + << ("\x5f\x41z" + QByteArray(toolong, sizeof(toolong)) + '\xff') + << 0 << CborErrorDataTooLarge; + toolong[0] |= 0x20; + QTest::addRow("string-2chunked+1-too-big-for-qbytearray-%llx", MinInvalid) + << ("\x7f\x61z" + QByteArray(toolong, sizeof(toolong)) + '\xff') + << 0 << CborErrorDataTooLarge; + // These tests say we have arrays and maps with very large item counts. // They are meant to ensure we don't pre-allocate a lot of memory // unnecessarily and possibly crash the application. The actual number of From a8b373d678f44a9d7006a412cabc75e7586b2c43 Mon Sep 17 00:00:00 2001 From: Fredrik Orderud Date: Tue, 5 May 2020 13:59:27 +0200 Subject: [PATCH 4/5] qstandardpaths_win.cpp: Fix GetCurrentProcessToken() for Win7 The GetCurrentProcessToken() was made an inline function for Windows 8. Expand it to ensure builds work independent of WINVER and disable low integrity support for Windows 7. Fixes: QTBUG-83941 Task-number: QTBUG-83453 Change-Id: Ic989f16621cd80cbc70c6b62779afab8a12714df Reviewed-by: Fredrik Orderud Reviewed-by: Volker Hilsheimer Reviewed-by: Thiago Macieira --- src/corelib/io/qstandardpaths_win.cpp | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/corelib/io/qstandardpaths_win.cpp b/src/corelib/io/qstandardpaths_win.cpp index 5055f4020ca..cbe4ccd0b23 100644 --- a/src/corelib/io/qstandardpaths_win.cpp +++ b/src/corelib/io/qstandardpaths_win.cpp @@ -47,6 +47,7 @@ #include #endif +#include #include #include #include @@ -99,7 +100,11 @@ static bool isProcessLowIntegrity() { // Disable function until Qt CI is updated return false; #else - HANDLE process_token = GetCurrentProcessToken(); // non-leaking pseudo-handle + if (QOperatingSystemVersion::current() < QOperatingSystemVersion::Windows8) + return false; + // non-leaking pseudo-handle. Expanded inline function GetCurrentProcessToken() + // (was made an inline function in Windows 8). + const auto process_token = HANDLE(quintptr(-4)); QVarLengthArray token_info_buf(256); auto* token_info = reinterpret_cast(token_info_buf.data()); From ba3b53cb501a77144aa6259e48a8e0edc3d1481d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tor=20Arne=20Vestb=C3=B8?= Date: Mon, 11 May 2020 10:15:08 +0200 Subject: [PATCH 5/5] Fix scanned resources in static builds Fixes: QTBUG-81621 Change-Id: Ica23e99054c7b2498bdb1e256c256c8b430938b4 Reviewed-by: Oliver Wolff --- mkspecs/features/qt.prf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mkspecs/features/qt.prf b/mkspecs/features/qt.prf index 6fe0059bf73..99b7fe6562c 100644 --- a/mkspecs/features/qt.prf +++ b/mkspecs/features/qt.prf @@ -293,7 +293,7 @@ contains(all_qt_module_deps, qml): \ !isEmpty(SCANNERRESOURCES) { IMPORTPATHS += -qrcFiles - for (RESOURCE, SCANNERRESOURCES) + for (RESOURCE, SCANNERRESOURCES): \ IMPORTPATHS += $$absolute_path($$system_quote($$RESOURCE), $$_PRO_FILE_PWD_) }