Skip to content

Commit

Permalink
QXmlStreamReader: make fastScanName() indicate parsing status to callers
Browse files Browse the repository at this point in the history 
This fixes a crash while parsing an XML file with garbage data, the file
starts with '<' then garbage data:
- The loop in the parse() keeps iterating until it hits "case 262:",
  which calls fastScanName()
- fastScanName() iterates over the text buffer scanning for the
  attribute name (e.g. "xml:lang"), until it finds ':'
- Consider a Value val, fastScanName() is called on it, it would set
  val.prefix to a number > val.len, then it would hit the 4096 condition
  and return (returned 0, now it returns the equivalent of
  std::null_opt), which means that val.len doesn't get modified, making
  it smaller than val.prefix
- The code would try constructing an XmlStringRef with negative length,
  which would hit an assert in one of QStringView's constructors

Add an assert to the XmlStringRef constructor.

Add unittest based on the file from the bug report.

Later on I will replace FastScanNameResult with std::optional<qsizetype>
(std::optional is C++17, which isn't required by Qt 5.15, and we want to
backport this fix).

Credit to OSS-Fuzz.

Fixes: QTBUG-109781
Fixes: QTBUG-114829
Pick-to: 6.6 6.5 6.2 5.15
Change-Id: I455a5eeb47870c2ac9ffd0cbcdcd99c1ae2dd374
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
  • Loading branch information
@ahmadsamir
ahmadsamir committed Jun 27, 2023
1 parent 1a423ce commit 6326bec
Show file tree
Hide file tree
Showing 5 changed files with 88 additions and 12 deletions.
23 changes: 17 additions & 6 deletions src/corelib/serialization/qxmlstream.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1296,15 +1296,18 @@ inline qsizetype QXmlStreamReaderPrivate::fastScanContentCharList()
return n;
}

inline qsizetype QXmlStreamReaderPrivate::fastScanName(Value *val)
// Fast scan an XML attribute name (e.g. "xml:lang").
inline QXmlStreamReaderPrivate::FastScanNameResult
QXmlStreamReaderPrivate::fastScanName(Value *val)
{
qsizetype n = 0;
uint c;
while ((c = getChar()) != StreamEOF) {
if (n >= 4096) {
// This is too long to be a sensible name, and
// can exhaust memory, or the range of decltype(*prefix)
return 0;
raiseNamePrefixTooLongError();
return {};
}
switch (c) {
case '\n':
Expand Down Expand Up @@ -1338,18 +1341,18 @@ inline qsizetype QXmlStreamReaderPrivate::fastScanName(Value *val)
putChar(':');
--n;
}
return n;
return FastScanNameResult(n);
case ':':
if (val) {
if (val->prefix == 0) {
val->prefix = qint16(n + 2);
} else { // only one colon allowed according to the namespace spec.
putChar(c);
return n;
return FastScanNameResult(n);
}
} else {
putChar(c);
return n;
return FastScanNameResult(n);
}
Q_FALLTHROUGH();
default:
Expand All @@ -1363,7 +1366,7 @@ inline qsizetype QXmlStreamReaderPrivate::fastScanName(Value *val)
qsizetype pos = textBuffer.size() - n;
putString(textBuffer, pos);
textBuffer.resize(pos);
return 0;
return FastScanNameResult(0);
}

enum NameChar { NameBeginning, NameNotBeginning, NotName };
Expand Down Expand Up @@ -1841,6 +1844,14 @@ void QXmlStreamReaderPrivate::raiseWellFormedError(const QString &message)
raiseError(QXmlStreamReader::NotWellFormedError, message);
}

void QXmlStreamReaderPrivate::raiseNamePrefixTooLongError()
{
// TODO: add a ImplementationLimitsExceededError and use it instead
raiseError(QXmlStreamReader::NotWellFormedError,
QXmlStream::tr("Length of XML attribute name exceeds implemnetation limits (4KiB "
"characters)."));
}

void QXmlStreamReaderPrivate::parseError()
{

Expand Down
12 changes: 10 additions & 2 deletions src/corelib/serialization/qxmlstream.g
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1420,7 +1420,11 @@ qname ::= LETTER;
/.
case $rule_number: {
Value &val = sym(1);
val.len += fastScanName(&val);
if (auto res = fastScanName(&val))
val.len += *res;
else
return false;

if (atEnd) {
resume($rule_number);
return false;
Expand All @@ -1431,7 +1435,11 @@ qname ::= LETTER;
name ::= LETTER;
/.
case $rule_number:
sym(1).len += fastScanName();
if (auto res = fastScanName())
sym(1).len += *res;
else
return false;

if (atEnd) {
resume($rule_number);
return false;
Expand Down
14 changes: 12 additions & 2 deletions src/corelib/serialization/qxmlstream_p.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ class XmlStringRef

constexpr XmlStringRef() = default;
constexpr inline XmlStringRef(const QString *string, qsizetype pos, qsizetype length)
: m_string(string), m_pos(pos), m_size(length)
: m_string(string), m_pos(pos), m_size((Q_ASSERT(length >= 0), length))
{
}
XmlStringRef(const QString *string)
Expand Down Expand Up @@ -498,7 +498,16 @@ class QXmlStreamReaderPrivate : public QXmlStreamGrammar, public QXmlStreamPriva
qsizetype fastScanLiteralContent();
qsizetype fastScanSpace();
qsizetype fastScanContentCharList();
qsizetype fastScanName(Value *val = nullptr);

struct FastScanNameResult {
FastScanNameResult() : ok(false) {}
explicit FastScanNameResult(qsizetype len) : addToLen(len), ok(true) { }
operator bool() { return ok; }
qsizetype operator*() { Q_ASSERT(ok); return addToLen; }
qsizetype addToLen;
bool ok;
};
FastScanNameResult fastScanName(Value *val = nullptr);
inline qsizetype fastScanNMTOKEN();


Expand All @@ -507,6 +516,7 @@ class QXmlStreamReaderPrivate : public QXmlStreamGrammar, public QXmlStreamPriva

void raiseError(QXmlStreamReader::Error error, const QString& message = QString());
void raiseWellFormedError(const QString &message);
void raiseNamePrefixTooLongError();

QXmlStreamEntityResolver *entityResolver;

Expand Down
12 changes: 10 additions & 2 deletions src/corelib/serialization/qxmlstreamparser_p.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -948,15 +948,23 @@ bool QXmlStreamReaderPrivate::parse()

case 262: {
Value &val = sym(1);
val.len += fastScanName(&val);
if (auto res = fastScanName(&val))
val.len += *res;
else
return false;

if (atEnd) {
resume(262);
return false;
}
} break;

case 263:
sym(1).len += fastScanName();
if (auto res = fastScanName())
sym(1).len += *res;
else
return false;

if (atEnd) {
resume(263);
return false;
Expand Down
39 changes: 39 additions & 0 deletions tests/auto/corelib/serialization/qxmlstream/tst_qxmlstream.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -586,6 +586,8 @@ private slots:
void readBack() const;
void roundTrip() const;
void roundTrip_data() const;
void test_fastScanName_data() const;
void test_fastScanName() const;

void entityExpansionLimit() const;

Expand Down Expand Up @@ -1828,5 +1830,42 @@ void tst_QXmlStream::roundTrip() const
QCOMPARE(out, in);
}

void tst_QXmlStream::test_fastScanName_data() const
{
QTest::addColumn<QByteArray>("data");
QTest::addColumn<QXmlStreamReader::Error>("errorType");

// 4096 is the limit in QXmlStreamReaderPrivate::fastScanName()

QByteArray arr = "<a"_ba + ":" + QByteArray("b").repeated(4096 - 1);
QTest::newRow("data1") << arr << QXmlStreamReader::PrematureEndOfDocumentError;

arr = "<a"_ba + ":" + QByteArray("b").repeated(4096);
QTest::newRow("data2") << arr << QXmlStreamReader::NotWellFormedError;

arr = "<"_ba + QByteArray("a").repeated(4000) + ":" + QByteArray("b").repeated(96);
QTest::newRow("data3") << arr << QXmlStreamReader::PrematureEndOfDocumentError;

arr = "<"_ba + QByteArray("a").repeated(4000) + ":" + QByteArray("b").repeated(96 + 1);
QTest::newRow("data4") << arr << QXmlStreamReader::NotWellFormedError;

arr = "<"_ba + QByteArray("a").repeated(4000 + 1) + ":" + QByteArray("b").repeated(96);
QTest::newRow("data5") << arr << QXmlStreamReader::NotWellFormedError;
}

void tst_QXmlStream::test_fastScanName() const
{
QFETCH(QByteArray, data);
QFETCH(QXmlStreamReader::Error, errorType);

QXmlStreamReader reader(data);
QXmlStreamReader::TokenType tokenType;
while (!reader.atEnd())
tokenType = reader.readNext();

QCOMPARE(tokenType, QXmlStreamReader::Invalid);
QCOMPARE(reader.error(), errorType);
}

#include "tst_qxmlstream.moc"
// vim: et:ts=4:sw=4:sts=4

0 comments on commit 6326bec

Please sign in to comment.