add an expansion limit for entities

Origin: upstream, https://code.qt.io/cgit/qt/qtbase.git/commit/?id=fd4be84d23a0db41
Last-Update: 2020-02-27

Recursively defined entities can easily exhaust all available
memory. Limit entity expansion to a default of 4096 characters to
avoid DoS attacks when a user loads untrusted content.

Added a setter and getter to allow modifying the expansion limit.

QXmlStreamReader does now by default limit the expansion of entities
to 4096 characters. Documents where a single entity expands to more
characters than the limit are not considered well formed. The limit
is there to avoid DoS attacks through recursively expanding entities
when loading untrusted content. The limit can be changed through the
QXmlStreamReader::setEntityExpansionLimit() method.

Gbp-Pq: Name CVE-2015-9541.diff

diff --git a/src/corelib/serialization/qxmlstream.cpp b/src/corelib/serialization/qxmlstream.cpp
index 7ff87885a53a2aa60e742d7e537ceeed378b9cb6..d7fb0d0d418d6ed93dc74e32e90754be429752fa 100644 (file)
--- a/src/corelib/serialization/qxmlstream.cpp
+++ b/src/corelib/serialization/qxmlstream.cpp
@@ -2041,6 +2041,42 @@ QStringRef QXmlStreamReader::dtdSystemId() const
    return QStringRef();
 }
 
+/*!
+  \since 5.15
+
+  Returns the maximum amount of characters a single entity is
+  allowed to expand into. If a single entity expands past the
+  given limit, the document is not considered well formed.
+
+  \sa setEntityExpansionLimit
+*/
+int QXmlStreamReader::entityExpansionLimit() const
+{
+    Q_D(const QXmlStreamReader);
+    return d->entityExpansionLimit;
+}
+
+/*!
+  \since 5.15
+
+  Sets the maximum amount of characters a single entity is
+  allowed to expand into to \a limit. If a single entity expands
+  past the given limit, the document is not considered well formed.
+
+  The limit is there to prevent DoS attacks when loading unknown
+  XML documents where recursive entity expansion could otherwise
+  exhaust all available memory.
+
+  The default value for this property is 4096 characters.
+
+  \sa entityExpansionLimit
+*/
+void QXmlStreamReader::setEntityExpansionLimit(int limit)
+{
+    Q_D(QXmlStreamReader);
+    d->entityExpansionLimit = limit;
+}
+
 /*!  If the tokenType() is \l StartElement, this function returns the
   element's namespace declarations. Otherwise an empty vector is
   returned.

diff --git a/src/corelib/serialization/qxmlstream.g b/src/corelib/serialization/qxmlstream.g
index 12ecc9bdb2aa95303fb764d01c73c043e2afc5e7..b623de9505655917e61f9a6f409b60145ab4dcda 100644 (file)
--- a/src/corelib/serialization/qxmlstream.g
+++ b/src/corelib/serialization/qxmlstream.g
@@ -285,9 +285,19 @@ public:
     QHash<QStringView, Entity> entityHash;
     QHash<QStringView, Entity> parameterEntityHash;
     QXmlStreamSimpleStack<Entity *>entityReferenceStack;
+    int entityExpansionLimit = 4096;
+    int entityLength = 0;
     inline bool referenceEntity(Entity &entity) {
         if (entity.isCurrentlyReferenced) {
-            raiseWellFormedError(QXmlStream::tr("Recursive entity detected."));
+            raiseWellFormedError(QXmlStream::tr("Self-referencing entity detected."));
+            return false;
+        }
+        // entityLength represents the amount of additional characters the
+        // entity expands into (can be negative for e.g. &amp;). It's used to
+        // avoid DoS attacks through recursive entity expansions
+        entityLength += entity.value.size() - entity.name.size() - 2;
+        if (entityLength > entityExpansionLimit) {
+            raiseWellFormedError(QXmlStream::tr("Entity expands to more characters than the entity expansion limit."));
             return false;
         }
         entity.isCurrentlyReferenced = true;
@@ -838,6 +848,8 @@ entity_done ::= ENTITY_DONE;
 /.
         case $rule_number:
             entityReferenceStack.pop()->isCurrentlyReferenced = false;
+            if (entityReferenceStack.isEmpty())
+                entityLength = 0;
             clearSym();
         break;
 ./

diff --git a/src/corelib/serialization/qxmlstream.h b/src/corelib/serialization/qxmlstream.h
index 7d0aa64570ea166d18f56af18972beefc107f11f..c8647e04658d78b025acaa26ba986f6bbdc1c0c7 100644 (file)
--- a/src/corelib/serialization/qxmlstream.h
+++ b/src/corelib/serialization/qxmlstream.h
@@ -426,6 +426,8 @@ public:
     QStringRef dtdPublicId() const;
     QStringRef dtdSystemId() const;
 
+    int entityExpansionLimit() const;
+    void setEntityExpansionLimit(int limit);
 
     enum Error {
         NoError,

diff --git a/src/corelib/serialization/qxmlstream_p.h b/src/corelib/serialization/qxmlstream_p.h
index 9c94e6d4346e325fced0f269f3c40024fbf6f87f..103b123b10c77aab9ead71dc3ec4319d2ad0f038 100644 (file)
--- a/src/corelib/serialization/qxmlstream_p.h
+++ b/src/corelib/serialization/qxmlstream_p.h
@@ -774,9 +774,19 @@ public:
     QHash<QStringView, Entity> entityHash;
     QHash<QStringView, Entity> parameterEntityHash;
     QXmlStreamSimpleStack<Entity *>entityReferenceStack;
+    int entityExpansionLimit = 4096;
+    int entityLength = 0;
     inline bool referenceEntity(Entity &entity) {
         if (entity.isCurrentlyReferenced) {
-            raiseWellFormedError(QXmlStream::tr("Recursive entity detected."));
+            raiseWellFormedError(QXmlStream::tr("Self-referencing entity detected."));
+            return false;
+        }
+        // entityLength represents the amount of additional characters the
+        // entity expands into (can be negative for e.g. &amp;). It's used to
+        // avoid DoS attacks through recursive entity expansions
+        entityLength += entity.value.size() - entity.name.size() - 2;
+        if (entityLength > entityExpansionLimit) {
+            raiseWellFormedError(QXmlStream::tr("Entity expands to more characters than the entity expansion limit."));
             return false;
         }
         entity.isCurrentlyReferenced = true;
@@ -1308,6 +1318,8 @@ bool QXmlStreamReaderPrivate::parse()
 
         case 10:
             entityReferenceStack.pop()->isCurrentlyReferenced = false;
+            if (entityReferenceStack.isEmpty())
+                entityLength = 0;
             clearSym();
         break;