File 0001-q_getTimeFromASN1-fix-invalid-access.patch of Package libqt5-qtbase.17069
From 1eb27acd1991897fea6da60dbebf6fd9b8683774 Mon Sep 17 00:00:00 2001
From: Timur Pocheptsov <timur.pocheptsov@qt.io>
Date: Wed, 18 Mar 2020 19:54:33 +0100
Subject: [PATCH 1/2] q_getTimeFromASN1: fix invalid access
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
No sanitizer is needed, just looking at the code is enough.
It was wrong.
Change-Id: I9df417c137d6b3361c3161865e099a8be40860de
Reviewed-by: Lars Knoll <lars.knoll@qt.io>
Reviewed-by: MÃ¥rten Nordheim <marten.nordheim@qt.io>
(cherry picked from commit ad68ecf1d967f8e60c19c28a2bc23daf15389076)
(cherry picked from commit 02f8657ca24f21ccb11ef6aa115973a67c5a27d8)
---
src/network/ssl/qsslsocket_openssl_symbols.cpp | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)
diff --git a/src/network/ssl/qsslsocket_openssl_symbols.cpp b/src/network/ssl/qsslsocket_openssl_symbols.cpp
index c303e266ba..98e0e06cde 100644
--- a/src/network/ssl/qsslsocket_openssl_symbols.cpp
+++ b/src/network/ssl/qsslsocket_openssl_symbols.cpp
@@ -1421,6 +1421,9 @@ QDateTime q_getTimeFromASN1(const ASN1_TIME *aTime)
{
size_t lTimeLength = aTime->length;
char *pString = (char *) aTime->data;
+ auto isValidPointer = [pString, lTimeLength](const char *const probe){
+ return size_t(probe - pString) < lTimeLength;
+ };
if (aTime->type == V_ASN1_UTCTIME) {
@@ -1439,12 +1442,21 @@ QDateTime q_getTimeFromASN1(const ASN1_TIME *aTime)
*pBuffer++ = '0';
} else {
*pBuffer++ = *pString++;
+ if (!isValidPointer(pString)) // Nah.
+ return {};
*pBuffer++ = *pString++;
+ if (!isValidPointer(pString)) // Nah.
+ return {};
// Skip any fractional seconds...
if (*pString == '.') {
pString++;
- while ((*pString >= '0') && (*pString <= '9'))
+ if (!isValidPointer(pString)) // Oh no, cannot dereference (see below).
+ return {};
+ while ((*pString >= '0') && (*pString <= '9')) {
pString++;
+ if (!isValidPointer(pString)) // No and no.
+ return {};
+ }
}
}
@@ -1458,6 +1470,10 @@ QDateTime q_getTimeFromASN1(const ASN1_TIME *aTime)
if ((*pString != '+') && (*pString != '-'))
return QDateTime();
+ if (!isValidPointer(pString + 4)) {
+ // What kind of input parameters we were provided with? To hell with them!
+ return {};
+ }
lSecondsFromUCT = ((pString[1] - '0') * 10 + (pString[2] - '0')) * 60;
lSecondsFromUCT += (pString[3] - '0') * 10 + (pString[4] - '0');
lSecondsFromUCT *= 60;
--
2.25.1