Date: Sat, 14 Jan 2017 09:39:24 -0800 From: Thiago Macieira <thiago@...ieira.org> To: Solar Designer <solar@...nwall.com> Cc: security@...project.org, oss-security@...ts.openwall.com Subject: Re: [Security] Qt QXmlSimpleReader On sábado, 14 de janeiro de 2017 17:42:11 PST Solar Designer wrote: > > No, there's no such limitation, but many classes will impose 2 GB limits > > due to array sizes. The only problem is that getting close to that limit > > will already run into code we don't usually test. There are also some > > problems with UB on signed overflow on Qt 4.8 and in early Qt 5 versions > > (I think I fixed it in 5.4 or 5.5). > > In general, are applications using Qt supposed to sanity-check the sizes > to be significantly below 2 GiB before passing such data on to Qt? Normal applications are supposed to be designed to use the Qt containers with, in the extreme, a couple hundred thousand items. If you're using them with upwards of a billion elements, you should redesign. If you're dealing with untrusted data, then you're supposed to sanity check it before passing to any container. That's true for even the Standard Library containers: you don't ask it to allocate 6 GB just because you got that size from the network or some file, because it may succeed and that would still be a DoS due to high swap usage. As for QXmlSimpleReader and for the whole QtXml module, it is in Done state. We're not working on it. We will fix security issues, though, so we need to analyse the details that you've supplied. -- Thiago Macieira - thiago (AT) macieira.info - thiago (AT) kde.org Software Architect - Intel Open Source Technology Center
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.