diff options
Diffstat (limited to 'extra/qt4/CVE-2013-4549.patch')
-rw-r--r-- | extra/qt4/CVE-2013-4549.patch | 233 |
1 files changed, 233 insertions, 0 deletions
diff --git a/extra/qt4/CVE-2013-4549.patch b/extra/qt4/CVE-2013-4549.patch new file mode 100644 index 000000000..8084f4a41 --- /dev/null +++ b/extra/qt4/CVE-2013-4549.patch @@ -0,0 +1,233 @@ +From 512a1ce0698d370c313bb561bbf078935fa0342e Mon Sep 17 00:00:00 2001 +From: Mitch Curtis <mitch.curtis@digia.com> +Date: Thu, 7 Nov 2013 09:36:29 +0100 +Subject: [PATCH] Disallow deep or widely nested entity references. + +Nested references with a depth of 2 or greater will fail. References +that partially expand to greater than 1024 characters will also fail. + +This is a backport of 46a8885ae486e238a39efa5119c2714f328b08e4. + +Change-Id: I0c2e1fa13d6ccb5f88641dae2ed3f28bfdeaf609 +Reviewed-by: Richard J. Moore <rich@kde.org> +Reviewed-by: Lars Knoll <lars.knoll@digia.com> + +From cecceb0cdd87482124a73ecf537f3445d68be13e Mon Sep 17 00:00:00 2001 +From: Mitch Curtis <mitch.curtis@digia.com> +Date: Tue, 12 Nov 2013 13:44:56 +0100 +Subject: [PATCH] Fully expand entities to ensure deep or widely nested ones fail parsing + +With 512a1ce0698d370c313bb561bbf078935fa0342e, we failed when parsing +entities whose partially expanded size was greater than 1024 +characters. That was not enough, so now we fully expand all entities. + +This is a backport of f1053d94f59f053ce4acad9320df14f1fbe4faac. + +Change-Id: I41dd6f4525c63e82fd320a22d19248169627f7e0 +Reviewed-by: Richard J. Moore <rich@kde.org> + +diff --git a/src/xml/sax/qxml.cpp b/src/xml/sax/qxml.cpp +index a1777c5..3904632 100644 +--- a/src/xml/sax/qxml.cpp ++++ b/src/xml/sax/qxml.cpp +@@ -424,6 +424,10 @@ private: + int stringValueLen; + QString emptyStr; + ++ // The limit to the amount of times the DTD parsing functions can be called ++ // for the DTD currently being parsed. ++ int dtdRecursionLimit; ++ + const QString &string(); + void stringClear(); + void stringAddC(QChar); +@@ -492,6 +496,7 @@ private: + void unexpectedEof(ParseFunction where, int state); + void parseFailed(ParseFunction where, int state); + void pushParseState(ParseFunction function, int state); ++ bool isPartiallyExpandedEntityValueTooLarge(QString *errorMessage); + + Q_DECLARE_PUBLIC(QXmlSimpleReader) + QXmlSimpleReader *q_ptr; +@@ -2759,6 +2764,7 @@ QXmlSimpleReaderPrivate::QXmlSimpleReaderPrivate(QXmlSimpleReader *reader) + useNamespacePrefixes = false; + reportWhitespaceCharData = true; + reportEntities = false; ++ dtdRecursionLimit = 2; + } + + QXmlSimpleReaderPrivate::~QXmlSimpleReaderPrivate() +@@ -5018,6 +5024,11 @@ bool QXmlSimpleReaderPrivate::parseDoctype() + } + break; + case Mup: ++ if (dtdRecursionLimit > 0 && parameterEntities.size() > dtdRecursionLimit) { ++ reportParseError(QString::fromLatin1( ++ "DTD parsing exceeded recursion limit of %1.").arg(dtdRecursionLimit)); ++ return false; ++ } + if (!parseMarkupdecl()) { + parseFailed(&QXmlSimpleReaderPrivate::parseDoctype, state); + return false; +@@ -6627,6 +6638,37 @@ bool QXmlSimpleReaderPrivate::parseChoiceSeq() + return false; + } + ++bool QXmlSimpleReaderPrivate::isPartiallyExpandedEntityValueTooLarge(QString *errorMessage) ++{ ++ const QString value = string(); ++ QMap<QString, int> referencedEntityCounts; ++ foreach (QString entityName, entities.keys()) { ++ for (int i = 0; i < value.size() && i != -1; ) { ++ i = value.indexOf(entityName, i); ++ if (i != -1) { ++ // The entityName we're currently trying to find ++ // was matched in this string; increase our count. ++ ++referencedEntityCounts[entityName]; ++ i += entityName.size(); ++ } ++ } ++ } ++ ++ foreach (QString entityName, referencedEntityCounts.keys()) { ++ const int timesReferenced = referencedEntityCounts[entityName]; ++ const QString entityValue = entities[entityName]; ++ if (entityValue.size() * timesReferenced > 1024) { ++ if (errorMessage) { ++ *errorMessage = QString::fromLatin1("The XML entity \"%1\"" ++ "expands too a string that is too large to process when " ++ "referencing \"%2\" %3 times.").arg(entityName).arg(entityName).arg(timesReferenced); ++ } ++ return true; ++ } ++ } ++ return false; ++} ++ + /* + Parse a EntityDecl [70]. + +@@ -6721,6 +6763,15 @@ bool QXmlSimpleReaderPrivate::parseEntityDecl() + switch (state) { + case EValue: + if ( !entityExist(name())) { ++ QString errorMessage; ++ if (isPartiallyExpandedEntityValueTooLarge(&errorMessage)) { ++ // The entity at entityName is entityValue.size() characters ++ // long in its unexpanded form, and was mentioned timesReferenced times, ++ // resulting in a string that would be greater than 1024 characters. ++ reportParseError(errorMessage); ++ return false; ++ } ++ + entities.insert(name(), string()); + if (declHnd) { + if (!declHnd->internalEntityDecl(name(), string())) { +diff --git a/src/xml/sax/qxml.cpp b/src/xml/sax/qxml.cpp +index 3904632..befa801 100644 +--- a/src/xml/sax/qxml.cpp ++++ b/src/xml/sax/qxml.cpp +@@ -426,7 +426,9 @@ private: + + // The limit to the amount of times the DTD parsing functions can be called + // for the DTD currently being parsed. +- int dtdRecursionLimit; ++ static const int dtdRecursionLimit = 2; ++ // The maximum amount of characters an entity value may contain, after expansion. ++ static const int entityCharacterLimit = 1024; + + const QString &string(); + void stringClear(); +@@ -496,7 +498,7 @@ private: + void unexpectedEof(ParseFunction where, int state); + void parseFailed(ParseFunction where, int state); + void pushParseState(ParseFunction function, int state); +- bool isPartiallyExpandedEntityValueTooLarge(QString *errorMessage); ++ bool isExpandedEntityValueTooLarge(QString *errorMessage); + + Q_DECLARE_PUBLIC(QXmlSimpleReader) + QXmlSimpleReader *q_ptr; +@@ -2764,7 +2766,6 @@ QXmlSimpleReaderPrivate::QXmlSimpleReaderPrivate(QXmlSimpleReader *reader) + useNamespacePrefixes = false; + reportWhitespaceCharData = true; + reportEntities = false; +- dtdRecursionLimit = 2; + } + + QXmlSimpleReaderPrivate::~QXmlSimpleReaderPrivate() +@@ -6638,30 +6639,43 @@ bool QXmlSimpleReaderPrivate::parseChoiceSeq() + return false; + } + +-bool QXmlSimpleReaderPrivate::isPartiallyExpandedEntityValueTooLarge(QString *errorMessage) ++bool QXmlSimpleReaderPrivate::isExpandedEntityValueTooLarge(QString *errorMessage) + { +- const QString value = string(); +- QMap<QString, int> referencedEntityCounts; +- foreach (QString entityName, entities.keys()) { +- for (int i = 0; i < value.size() && i != -1; ) { +- i = value.indexOf(entityName, i); +- if (i != -1) { +- // The entityName we're currently trying to find +- // was matched in this string; increase our count. +- ++referencedEntityCounts[entityName]; +- i += entityName.size(); ++ QMap<QString, int> literalEntitySizes; ++ // The entity at (QMap<QString,) referenced the entities at (QMap<QString,) (int>) times. ++ QMap<QString, QMap<QString, int> > referencesToOtherEntities; ++ QMap<QString, int> expandedSizes; ++ ++ // For every entity, check how many times all entity names were referenced in its value. ++ foreach (QString toSearch, entities.keys()) { ++ // The amount of characters that weren't entity names, but literals, like 'X'. ++ QString leftOvers = entities.value(toSearch); ++ // How many times was entityName referenced by toSearch? ++ foreach (QString entityName, entities.keys()) { ++ for (int i = 0; i < leftOvers.size() && i != -1; ) { ++ i = leftOvers.indexOf(QString::fromLatin1("&%1;").arg(entityName), i); ++ if (i != -1) { ++ leftOvers.remove(i, entityName.size() + 2); ++ // The entityName we're currently trying to find was matched in this string; increase our count. ++ ++referencesToOtherEntities[toSearch][entityName]; ++ } + } + } ++ literalEntitySizes[toSearch] = leftOvers.size(); + } + +- foreach (QString entityName, referencedEntityCounts.keys()) { +- const int timesReferenced = referencedEntityCounts[entityName]; +- const QString entityValue = entities[entityName]; +- if (entityValue.size() * timesReferenced > 1024) { ++ foreach (QString entity, referencesToOtherEntities.keys()) { ++ expandedSizes[entity] = literalEntitySizes[entity]; ++ foreach (QString referenceTo, referencesToOtherEntities.value(entity).keys()) { ++ const int references = referencesToOtherEntities.value(entity).value(referenceTo); ++ // The total size of an entity's value is the expanded size of all of its referenced entities, plus its literal size. ++ expandedSizes[entity] += expandedSizes[referenceTo] * references + literalEntitySizes[referenceTo] * references; ++ } ++ ++ if (expandedSizes[entity] > entityCharacterLimit) { + if (errorMessage) { +- *errorMessage = QString::fromLatin1("The XML entity \"%1\"" +- "expands too a string that is too large to process when " +- "referencing \"%2\" %3 times.").arg(entityName).arg(entityName).arg(timesReferenced); ++ *errorMessage = QString::fromLatin1("The XML entity \"%1\" expands too a string that is too large to process (%2 characters > %3)."); ++ *errorMessage = (*errorMessage).arg(entity).arg(expandedSizes[entity]).arg(entityCharacterLimit); + } + return true; + } +@@ -6764,10 +6778,7 @@ bool QXmlSimpleReaderPrivate::parseEntityDecl() + case EValue: + if ( !entityExist(name())) { + QString errorMessage; +- if (isPartiallyExpandedEntityValueTooLarge(&errorMessage)) { +- // The entity at entityName is entityValue.size() characters +- // long in its unexpanded form, and was mentioned timesReferenced times, +- // resulting in a string that would be greater than 1024 characters. ++ if (isExpandedEntityValueTooLarge(&errorMessage)) { + reportParseError(errorMessage); + return false; + } +-- +1.7.1 |