1berry/qtbase
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add some minimal size checking for dynamically loaded resources

Browse Source 
This covers the case in the bug report, but not much more.

Task-number: QTBUG-21254
Change-Id: Ie191a39ceddd7e58a0d8baf7d01f2a08c70162e5
Reviewed-by: Oswald Buddenhagen <oswald.buddenhagen@digia.com>
This commit is contained in:
hjk 2014-09-15 13:28:58 +02:00
parent b4da15a5ef
commit f14470fa00
1 changed files with 13 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
src/corelib/io/qresource.cpp
View File

@ -884,7 +884,13 @@ public:
virtual QString mappingRoot() const { return root; } virtual QString mappingRoot() const { return root; }
virtual ResourceRootType type() const { return Resource_Buffer; } virtual ResourceRootType type() const { return Resource_Buffer; }
bool registerSelf(const uchar *b) { // size == -1 means "unknown"
bool registerSelf(const uchar *b, int size)
{
// 5 int "pointers"
if (size >= 0 && size < 20)
return false;
//setup the data now //setup the data now
int offset = 0; int offset = 0;
@ -911,6 +917,10 @@ public:
(b[offset+2] << 8) + (b[offset+3] << 0); (b[offset+2] << 8) + (b[offset+3] << 0);
offset += 4; offset += 4;
// Some sanity checking for sizes. This is _not_ a security measure.
if (size >= 0 && (tree_offset >= size || data_offset >= size || name_offset >= size))
return false;
if(version == 0x01) { if(version == 0x01) {
buffer = b; buffer = b;
setSource(b+tree_offset, b+name_offset, b+data_offset); setSource(b+tree_offset, b+name_offset, b+data_offset);
@ -1017,7 +1027,7 @@ public:
} }
fromMM = false; fromMM = false;
} }
if(data && QDynamicBufferResourceRoot::registerSelf(data)) { if (data && QDynamicBufferResourceRoot::registerSelf(data, data_len)) {
if(fromMM) { if(fromMM) {
unmapPointer = data; unmapPointer = data;
unmapLength = data_len; unmapLength = data_len;
@ -1132,7 +1142,7 @@ QResource::registerResource(const uchar *rccData, const QString &resourceRoot)
} }
QDynamicBufferResourceRoot *root = new QDynamicBufferResourceRoot(r); QDynamicBufferResourceRoot *root = new QDynamicBufferResourceRoot(r);
if(root->registerSelf(rccData)) { if (root->registerSelf(rccData, -1)) {
root->ref.ref(); root->ref.ref();
QMutexLocker lock(resourceMutex()); QMutexLocker lock(resourceMutex());
resourceList()->append(root); resourceList()->append(root);