Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 14 Jan 2017 09:39:24 -0800
From: Thiago Macieira <thiago@...ieira.org>
To: Solar Designer <solar@...nwall.com>
Cc: security@...project.org, oss-security@...ts.openwall.com
Subject: Re: [Security] Qt QXmlSimpleReader

On sábado, 14 de janeiro de 2017 17:42:11 PST Solar Designer wrote:
> > No, there's no such limitation, but many classes will impose 2 GB limits
> > due to array sizes. The only problem is that getting close to that limit
> > will already run into code we don't usually test. There are also some
> > problems with UB on signed overflow on Qt 4.8 and in early Qt 5 versions
> > (I think I fixed it in 5.4 or 5.5).
> 
> In general, are applications using Qt supposed to sanity-check the sizes
> to be significantly below 2 GiB before passing such data on to Qt?

Normal applications are supposed to be designed to use the Qt containers with, 
in the extreme, a couple hundred thousand items. If you're using them with 
upwards of a billion elements, you should redesign.

If you're dealing with untrusted data, then you're supposed to sanity check it 
before passing to any container. That's true for even the Standard Library 
containers: you don't ask it to allocate 6 GB just because you got that size 
from the network or some file, because it may succeed and that would still be a 
DoS due to high swap usage.

As for QXmlSimpleReader and for the whole QtXml module, it is in Done state. 
We're not working on it. We will fix security issues, though, so we need to 
analyse the details that you've supplied.

-- 
Thiago Macieira - thiago (AT) macieira.info - thiago (AT) kde.org
   Software Architect - Intel Open Source Technology Center

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ