Overview

File 0001-q_getTimeFromASN1-fix-invalid-access.patch of Package libqt5-qtbase.17069

From 1eb27acd1991897fea6da60dbebf6fd9b8683774 Mon Sep 17 00:00:00 2001
From: Timur Pocheptsov <timur.pocheptsov@qt.io>
Date: Wed, 18 Mar 2020 19:54:33 +0100
Subject: [PATCH 1/2] q_getTimeFromASN1: fix invalid access
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

No sanitizer is needed, just looking at the code is enough.
It was wrong.

Change-Id: I9df417c137d6b3361c3161865e099a8be40860de
Reviewed-by: Lars Knoll <lars.knoll@qt.io>
Reviewed-by: MÃ¥rten Nordheim <marten.nordheim@qt.io>
(cherry picked from commit ad68ecf1d967f8e60c19c28a2bc23daf15389076)
(cherry picked from commit 02f8657ca24f21ccb11ef6aa115973a67c5a27d8)
---
 src/network/ssl/qsslsocket_openssl_symbols.cpp | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/src/network/ssl/qsslsocket_openssl_symbols.cpp b/src/network/ssl/qsslsocket_openssl_symbols.cpp
index c303e266ba..98e0e06cde 100644
--- a/src/network/ssl/qsslsocket_openssl_symbols.cpp
+++ b/src/network/ssl/qsslsocket_openssl_symbols.cpp
@@ -1421,6 +1421,9 @@ QDateTime q_getTimeFromASN1(const ASN1_TIME *aTime)
 {
     size_t lTimeLength = aTime->length;
     char *pString = (char *) aTime->data;
+    auto isValidPointer = [pString, lTimeLength](const char *const probe){
+        return size_t(probe - pString) < lTimeLength;
+    };
 
     if (aTime->type == V_ASN1_UTCTIME) {
 
@@ -1439,12 +1442,21 @@ QDateTime q_getTimeFromASN1(const ASN1_TIME *aTime)
             *pBuffer++ = '0';
         } else {
             *pBuffer++ = *pString++;
+            if (!isValidPointer(pString)) // Nah.
+                return {};
             *pBuffer++ = *pString++;
+            if (!isValidPointer(pString)) // Nah.
+                return {};
             // Skip any fractional seconds...
             if (*pString == '.') {
                 pString++;
-                while ((*pString >= '0') && (*pString <= '9'))
+                if (!isValidPointer(pString)) // Oh no, cannot dereference (see below).
+                    return {};
+                while ((*pString >= '0') && (*pString <= '9')) {
                     pString++;
+                    if (!isValidPointer(pString)) // No and no.
+                        return {};
+                }
             }
         }
 
@@ -1458,6 +1470,10 @@ QDateTime q_getTimeFromASN1(const ASN1_TIME *aTime)
             if ((*pString != '+') && (*pString != '-'))
                 return QDateTime();
 
+            if (!isValidPointer(pString + 4)) {
+                // What kind of input parameters we were provided with? To hell with them!
+                return {};
+            }
             lSecondsFromUCT = ((pString[1] - '0') * 10 + (pString[2] - '0')) * 60;
             lSecondsFromUCT += (pString[3] - '0') * 10 + (pString[4] - '0');
             lSecondsFromUCT *= 60;
-- 
2.25.1
openSUSE Build Service is sponsored by
Places