Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 14 Jan 2017 09:39:24 -0800
From: Thiago Macieira <>
To: Solar Designer <>
Subject: Re: [Security] Qt QXmlSimpleReader

On sábado, 14 de janeiro de 2017 17:42:11 PST Solar Designer wrote:
> > No, there's no such limitation, but many classes will impose 2 GB limits
> > due to array sizes. The only problem is that getting close to that limit
> > will already run into code we don't usually test. There are also some
> > problems with UB on signed overflow on Qt 4.8 and in early Qt 5 versions
> > (I think I fixed it in 5.4 or 5.5).
> In general, are applications using Qt supposed to sanity-check the sizes
> to be significantly below 2 GiB before passing such data on to Qt?

Normal applications are supposed to be designed to use the Qt containers with, 
in the extreme, a couple hundred thousand items. If you're using them with 
upwards of a billion elements, you should redesign.

If you're dealing with untrusted data, then you're supposed to sanity check it 
before passing to any container. That's true for even the Standard Library 
containers: you don't ask it to allocate 6 GB just because you got that size 
from the network or some file, because it may succeed and that would still be a 
DoS due to high swap usage.

As for QXmlSimpleReader and for the whole QtXml module, it is in Done state. 
We're not working on it. We will fix security issues, though, so we need to 
analyse the details that you've supplied.

Thiago Macieira - thiago (AT) - thiago (AT)
   Software Architect - Intel Open Source Technology Center

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.