Fix security issue CVE-2013-4549

[taken from RedHat Qt3 patches] (cherry picked from commit 73584365f8600414fc5a114ec2f2d6750a7f77cc)
author: Slávek Banko <slavek.banko@axis.cz> 2015-03-09 22:30:38 +0100
committer: Slávek Banko <slavek.banko@axis.cz> 2015-03-09 22:38:56 +0100
commit: 2383ee57b0ca9f342f34cf46f57eb3a407ed79ab (patch)
tree: 46a48d7248f4e73acde6a2e6fe8d6164a4601bfb
parent: cdabaf42b0dff3d4bc62572bf12e324eb11fec0b (diff)
download: qt3-2383ee57b0ca9f342f34cf46f57eb3a407ed79ab.tar.gz
qt3-2383ee57b0ca9f342f34cf46f57eb3a407ed79ab.zip
2 files changed, 70 insertions, 0 deletions
diff --git a/src/xml/qxml.cpp b/src/xml/qxml.cpp
index 010389b..c786623 100644
--- a/src/xml/qxml.cpp
+++ b/src/xml/qxml.cpp
@@ -4529,6 +4529,11 @@ bool QXmlSimpleReader::parseDoctype()
 		}
 		break;
 	    case Mup:
+		if (dtdRecursionLimit > 0U && d->parameterEntities.size() > dtdRecursionLimit) {
+		    reportParseError(QString::fromLatin1(
+		        "DTD parsing exceeded recursion limit of %1.").arg(dtdRecursionLimit));
+		    return FALSE;
+		}
 		if ( !parseMarkupdecl() ) {
 		    parseFailed( &QXmlSimpleReader::parseDoctype, state );
 		    return FALSE;
@@ -6128,6 +6133,58 @@ bool QXmlSimpleReader::parseChoiceSeq()
     }
 }
 
+bool QXmlSimpleReader::isExpandedEntityValueTooLarge(QString *errorMessage)
+{
+    QMap<QString, uint> literalEntitySizes;
+    // The entity at (QMap<QString,) referenced the entities at (QMap<QString,) (uint>) times.
+    QMap<QString, QMap<QString, uint> > referencesToOtherEntities;
+    QMap<QString, uint> expandedSizes;
+
+    // For every entity, check how many times all entity names were referenced in its value.
+    QMap<QString,QString>::ConstIterator toSearchIterator;
+    for (toSearchIterator = d->entities.begin(); toSearchIterator != d->entities.end(); ++toSearchIterator) {
+        QString toSearch = toSearchIterator.key();
+        // The amount of characters that weren't entity names, but literals, like 'X'.
+        QString leftOvers = toSearchIterator.data();
+        QMap<QString,QString>::ConstIterator entityNameIterator;
+        // How many times was entityName referenced by toSearch?
+        for (entityNameIterator = d->entities.begin(); entityNameIterator != d->entities.end(); ++entityNameIterator) {
+            QString entityName = entityNameIterator.key();
+            for (int i = 0; i >= 0 && (uint) i < leftOvers.length(); ) {
+                i = leftOvers.find(QString::fromLatin1("&%1;").arg(entityName), i);
+                if (i != -1) {
+                    leftOvers.remove(i, entityName.length() + 2U);
+                    // The entityName we're currently trying to find was matched in this string; increase our count.
+                    ++referencesToOtherEntities[toSearch][entityName];
+                }
+            }
+        }
+        literalEntitySizes[toSearch] = leftOvers.length();
+    }
+
+    QMap<QString, QMap<QString, uint> >::ConstIterator entityIterator;
+    for (entityIterator = referencesToOtherEntities.begin(); entityIterator != referencesToOtherEntities.end(); ++entityIterator) {
+        QString entity = entityIterator.key();
+        expandedSizes[entity] = literalEntitySizes[entity];
+        QMap<QString, uint>::ConstIterator referenceToIterator;
+        for (referenceToIterator = entityIterator.data().begin(); referenceToIterator != entityIterator.data().end(); ++referenceToIterator) {
+            QString referenceTo = referenceToIterator.key();
+            const uint references = referenceToIterator.data();
+            // The total size of an entity's value is the expanded size of all of its referenced entities, plus its literal size.
+            expandedSizes[entity] += expandedSizes[referenceTo] * references + literalEntitySizes[referenceTo] * references;
+        }
+
+        if (expandedSizes[entity] > entityCharacterLimit) {
+            if (errorMessage) {
+                *errorMessage = QString::fromLatin1("The XML entity \"%1\" expands to a string that is too large to process (%2 characters > %3).");
+                *errorMessage = (*errorMessage).arg(entity).arg(expandedSizes[entity]).arg(entityCharacterLimit);
+            }
+            return TRUE;
+        }
+    }
+    return FALSE;
+}
+
 /*
   Parse a EntityDecl [70].
 
@@ -6222,6 +6279,12 @@ bool QXmlSimpleReader::parseEntityDecl()
 	switch ( state ) {
 	    case EValue:
 		if (  !entityExist( name() ) ) {
+		    QString errorMessage;
+		    if (isExpandedEntityValueTooLarge(&errorMessage)) {
+		        reportParseError(errorMessage);
+		        return FALSE;
+		    }
+
 		    d->entities.insert( name(), string() );
 		    if ( declHnd ) {
 			if ( !declHnd->internalEntityDecl( name(), string() ) ) {
diff --git a/src/xml/qxml.h b/src/xml/qxml.h
index 11fbbdb..6d0bee8 100644
--- a/src/xml/qxml.h
+++ b/src/xml/qxml.h
@@ -307,6 +307,12 @@ private:
 
     QXmlSimpleReaderPrivate* d;
 
+    // The limit to the amount of times the DTD parsing functions can be called
+    // for the DTD currently being parsed.
+    static const uint dtdRecursionLimit = 2U;
+    // The maximum amount of characters an entity value may contain, after expansion.
+    static const uint entityCharacterLimit = 65536U;
+
     const QString &string();
     void stringClear();
     inline void stringAddC() { stringAddC(c); }
@@ -378,6 +384,7 @@ private:
     void unexpectedEof( ParseFunction where, int state );
     void parseFailed( ParseFunction where, int state );
     void pushParseState( ParseFunction function, int state );
+    bool isExpandedEntityValueTooLarge(QString *errorMessage);
 
     void setUndefEntityInAttrHack(bool b);
author	Slávek Banko <slavek.banko@axis.cz>	2015-03-09 22:30:38 +0100
committer	Slávek Banko <slavek.banko@axis.cz>	2015-03-09 22:38:56 +0100
commit	2383ee57b0ca9f342f34cf46f57eb3a407ed79ab (patch)
tree	46a48d7248f4e73acde6a2e6fe8d6164a4601bfb
parent	cdabaf42b0dff3d4bc62572bf12e324eb11fec0b (diff)
download	qt3-2383ee57b0ca9f342f34cf46f57eb3a407ed79ab.tar.gz qt3-2383ee57b0ca9f342f34cf46f57eb3a407ed79ab.zip