|
Kevin Kofler |
437bc95 |
diff -ur qt-x11-free-3.3.8b/src/xml/qxml.cpp qt-x11-free-3.3.8b-CVE-2013-4549/src/xml/qxml.cpp
|
|
Kevin Kofler |
437bc95 |
--- qt-x11-free-3.3.8b/src/xml/qxml.cpp 2008-01-15 20:09:13.000000000 +0100
|
|
Kevin Kofler |
6371d40 |
+++ qt-x11-free-3.3.8b-CVE-2013-4549/src/xml/qxml.cpp 2014-01-13 21:03:14.000000000 +0100
|
|
Kevin Kofler |
437bc95 |
@@ -4529,6 +4529,11 @@
|
|
Kevin Kofler |
437bc95 |
}
|
|
Kevin Kofler |
437bc95 |
break;
|
|
Kevin Kofler |
437bc95 |
case Mup:
|
|
Kevin Kofler |
d5a2a57 |
+ if (dtdRecursionLimit > 0U && d->parameterEntities.size() > dtdRecursionLimit) {
|
|
Kevin Kofler |
437bc95 |
+ reportParseError(QString::fromLatin1(
|
|
Kevin Kofler |
437bc95 |
+ "DTD parsing exceeded recursion limit of %1.").arg(dtdRecursionLimit));
|
|
Kevin Kofler |
437bc95 |
+ return FALSE;
|
|
Kevin Kofler |
437bc95 |
+ }
|
|
Kevin Kofler |
437bc95 |
if ( !parseMarkupdecl() ) {
|
|
Kevin Kofler |
437bc95 |
parseFailed( &QXmlSimpleReader::parseDoctype, state );
|
|
Kevin Kofler |
437bc95 |
return FALSE;
|
|
Kevin Kofler |
437bc95 |
@@ -6128,6 +6133,58 @@
|
|
Kevin Kofler |
437bc95 |
}
|
|
Kevin Kofler |
437bc95 |
}
|
|
Kevin Kofler |
437bc95 |
|
|
Kevin Kofler |
437bc95 |
+bool QXmlSimpleReader::isExpandedEntityValueTooLarge(QString *errorMessage)
|
|
Kevin Kofler |
437bc95 |
+{
|
|
Kevin Kofler |
437bc95 |
+ QMap<QString, uint> literalEntitySizes;
|
|
Kevin Kofler |
437bc95 |
+ // The entity at (QMap<QString,) referenced the entities at (QMap<QString,) (uint>) times.
|
|
Kevin Kofler |
437bc95 |
+ QMap<QString, QMap<QString, uint> > referencesToOtherEntities;
|
|
Kevin Kofler |
437bc95 |
+ QMap<QString, uint> expandedSizes;
|
|
Kevin Kofler |
437bc95 |
+
|
|
Kevin Kofler |
437bc95 |
+ // For every entity, check how many times all entity names were referenced in its value.
|
|
Kevin Kofler |
437bc95 |
+ QMap<QString,QString>::ConstIterator toSearchIterator;
|
|
Kevin Kofler |
437bc95 |
+ for (toSearchIterator = d->entities.begin(); toSearchIterator != d->entities.end(); ++toSearchIterator) {
|
|
Kevin Kofler |
437bc95 |
+ QString toSearch = toSearchIterator.key();
|
|
Kevin Kofler |
437bc95 |
+ // The amount of characters that weren't entity names, but literals, like 'X'.
|
|
Kevin Kofler |
437bc95 |
+ QString leftOvers = toSearchIterator.data();
|
|
Kevin Kofler |
437bc95 |
+ QMap<QString,QString>::ConstIterator entityNameIterator;
|
|
Kevin Kofler |
437bc95 |
+ // How many times was entityName referenced by toSearch?
|
|
Kevin Kofler |
437bc95 |
+ for (entityNameIterator = d->entities.begin(); entityNameIterator != d->entities.end(); ++entityNameIterator) {
|
|
Kevin Kofler |
437bc95 |
+ QString entityName = entityNameIterator.key();
|
|
Kevin Kofler |
437bc95 |
+ for (int i = 0; i >= 0 && (uint) i < leftOvers.length(); ) {
|
|
Kevin Kofler |
437bc95 |
+ i = leftOvers.find(QString::fromLatin1("&%;;").arg(entityName), i);
|
|
Kevin Kofler |
437bc95 |
+ if (i != -1) {
|
|
Kevin Kofler |
437bc95 |
+ leftOvers.remove(i, entityName.length() + 2U);
|
|
Kevin Kofler |
437bc95 |
+ // The entityName we're currently trying to find was matched in this string; increase our count.
|
|
Kevin Kofler |
437bc95 |
+ ++referencesToOtherEntities[toSearch][entityName];
|
|
Kevin Kofler |
437bc95 |
+ }
|
|
Kevin Kofler |
437bc95 |
+ }
|
|
Kevin Kofler |
437bc95 |
+ }
|
|
Kevin Kofler |
437bc95 |
+ literalEntitySizes[toSearch] = leftOvers.length();
|
|
Kevin Kofler |
437bc95 |
+ }
|
|
Kevin Kofler |
437bc95 |
+
|
|
Kevin Kofler |
437bc95 |
+ QMap<QString, QMap<QString, uint> >::ConstIterator entityIterator;
|
|
Kevin Kofler |
437bc95 |
+ for (entityIterator = referencesToOtherEntities.begin(); entityIterator != referencesToOtherEntities.end(); ++entityIterator) {
|
|
Kevin Kofler |
437bc95 |
+ QString entity = entityIterator.key();
|
|
Kevin Kofler |
437bc95 |
+ expandedSizes[entity] = literalEntitySizes[entity];
|
|
Kevin Kofler |
437bc95 |
+ QMap<QString, uint>::ConstIterator referenceToIterator;
|
|
Kevin Kofler |
437bc95 |
+ for (referenceToIterator = entityIterator.data().begin(); referenceToIterator != entityIterator.data().end(); ++referenceToIterator) {
|
|
Kevin Kofler |
437bc95 |
+ QString referenceTo = referenceToIterator.key();
|
|
Kevin Kofler |
437bc95 |
+ const uint references = referenceToIterator.data();
|
|
Kevin Kofler |
437bc95 |
+ // The total size of an entity's value is the expanded size of all of its referenced entities, plus its literal size.
|
|
Kevin Kofler |
437bc95 |
+ expandedSizes[entity] += expandedSizes[referenceTo] * references + literalEntitySizes[referenceTo] * references;
|
|
Kevin Kofler |
437bc95 |
+ }
|
|
Kevin Kofler |
437bc95 |
+
|
|
Kevin Kofler |
437bc95 |
+ if (expandedSizes[entity] > entityCharacterLimit) {
|
|
Kevin Kofler |
437bc95 |
+ if (errorMessage) {
|
|
Kevin Kofler |
6371d40 |
+ *errorMessage = QString::fromLatin1("The XML entity \"%1\" expands to a string that is too large to process (%2 characters > %3).");
|
|
Kevin Kofler |
437bc95 |
+ *errorMessage = (*errorMessage).arg(entity).arg(expandedSizes[entity]).arg(entityCharacterLimit);
|
|
Kevin Kofler |
437bc95 |
+ }
|
|
Kevin Kofler |
437bc95 |
+ return TRUE;
|
|
Kevin Kofler |
437bc95 |
+ }
|
|
Kevin Kofler |
437bc95 |
+ }
|
|
Kevin Kofler |
437bc95 |
+ return FALSE;
|
|
Kevin Kofler |
437bc95 |
+}
|
|
Kevin Kofler |
437bc95 |
+
|
|
Kevin Kofler |
437bc95 |
/*
|
|
Kevin Kofler |
437bc95 |
Parse a EntityDecl [70].
|
|
Kevin Kofler |
437bc95 |
|
|
Kevin Kofler |
437bc95 |
@@ -6222,6 +6279,12 @@
|
|
Kevin Kofler |
437bc95 |
switch ( state ) {
|
|
Kevin Kofler |
437bc95 |
case EValue:
|
|
Kevin Kofler |
437bc95 |
if ( !entityExist( name() ) ) {
|
|
Kevin Kofler |
437bc95 |
+ QString errorMessage;
|
|
Kevin Kofler |
437bc95 |
+ if (isExpandedEntityValueTooLarge(&errorMessage)) {
|
|
Kevin Kofler |
437bc95 |
+ reportParseError(errorMessage);
|
|
Kevin Kofler |
437bc95 |
+ return FALSE;
|
|
Kevin Kofler |
437bc95 |
+ }
|
|
Kevin Kofler |
437bc95 |
+
|
|
Kevin Kofler |
437bc95 |
d->entities.insert( name(), string() );
|
|
Kevin Kofler |
437bc95 |
if ( declHnd ) {
|
|
Kevin Kofler |
437bc95 |
if ( !declHnd->internalEntityDecl( name(), string() ) ) {
|
|
Kevin Kofler |
437bc95 |
diff -ur qt-x11-free-3.3.8b/src/xml/qxml.h qt-x11-free-3.3.8b-CVE-2013-4549/src/xml/qxml.h
|
|
Kevin Kofler |
437bc95 |
--- qt-x11-free-3.3.8b/src/xml/qxml.h 2008-01-15 20:09:13.000000000 +0100
|
|
Kevin Kofler |
6371d40 |
+++ qt-x11-free-3.3.8b-CVE-2013-4549/src/xml/qxml.h 2014-01-13 21:03:02.000000000 +0100
|
|
Kevin Kofler |
437bc95 |
@@ -307,6 +307,12 @@
|
|
Kevin Kofler |
437bc95 |
|
|
Kevin Kofler |
437bc95 |
QXmlSimpleReaderPrivate* d;
|
|
Kevin Kofler |
437bc95 |
|
|
Kevin Kofler |
437bc95 |
+ // The limit to the amount of times the DTD parsing functions can be called
|
|
Kevin Kofler |
437bc95 |
+ // for the DTD currently being parsed.
|
|
Kevin Kofler |
437bc95 |
+ static const uint dtdRecursionLimit = 2U;
|
|
Kevin Kofler |
437bc95 |
+ // The maximum amount of characters an entity value may contain, after expansion.
|
|
Kevin Kofler |
6371d40 |
+ static const uint entityCharacterLimit = 65536U;
|
|
Kevin Kofler |
437bc95 |
+
|
|
Kevin Kofler |
437bc95 |
const QString &string();
|
|
Kevin Kofler |
437bc95 |
void stringClear();
|
|
Kevin Kofler |
437bc95 |
inline void stringAddC() { stringAddC(c); }
|
|
Kevin Kofler |
437bc95 |
@@ -378,6 +384,7 @@
|
|
Kevin Kofler |
437bc95 |
void unexpectedEof( ParseFunction where, int state );
|
|
Kevin Kofler |
437bc95 |
void parseFailed( ParseFunction where, int state );
|
|
Kevin Kofler |
437bc95 |
void pushParseState( ParseFunction function, int state );
|
|
Kevin Kofler |
437bc95 |
+ bool isExpandedEntityValueTooLarge(QString *errorMessage);
|
|
Kevin Kofler |
437bc95 |
|
|
Kevin Kofler |
437bc95 |
void setUndefEntityInAttrHack(bool b);
|
|
Kevin Kofler |
437bc95 |
|