You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
321 lines
14 KiB
321 lines
14 KiB
2 years ago
|
Description: Fix CVE-2023-24607
|
||
|
CVE-2023-24607 can trigger a DOS with a specifically crafted string,
|
||
|
see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031871.
|
||
|
This patch backports both https://codereview.qt-project.org/c/qt/qtbase/+/456007
|
||
|
and https://codereview.qt-project.org/c/qt/qtbase/+/457937.
|
||
|
Forwarded: not-needed
|
||
|
|
||
|
---
|
||
|
diff --git a/src/plugins/sqldrivers/odbc/qsql_odbc.cpp b/src/plugins/sqldrivers/odbc/qsql_odbc.cpp
|
||
|
index 386ffccf36..80bf6ad7c0 100644
|
||
|
--- a/src/plugins/sqldrivers/odbc/qsql_odbc.cpp
|
||
|
+++ b/src/plugins/sqldrivers/odbc/qsql_odbc.cpp
|
||
|
@@ -58,23 +58,39 @@ inline static QString fromSQLTCHAR(const QVarLengthArray<SQLTCHAR>& input, qsize
|
||
|
return result;
|
||
|
}
|
||
|
|
||
|
+template <size_t SizeOfChar = sizeof(SQLTCHAR)>
|
||
|
+void toSQLTCHARImpl(QVarLengthArray<SQLTCHAR> &result, const QString &input); // primary template undefined
|
||
|
+
|
||
|
+template <typename Container>
|
||
|
+void do_append(QVarLengthArray<SQLTCHAR> &result, const Container &c)
|
||
|
+{
|
||
|
+ result.append(reinterpret_cast<const SQLTCHAR *>(c.data()), c.size());
|
||
|
+}
|
||
|
+
|
||
|
+template <>
|
||
|
+void toSQLTCHARImpl<1>(QVarLengthArray<SQLTCHAR> &result, const QString &input)
|
||
|
+{
|
||
|
+ const auto u8 = input.toUtf8();
|
||
|
+ do_append(result, u8);
|
||
|
+}
|
||
|
+
|
||
|
+template <>
|
||
|
+void toSQLTCHARImpl<2>(QVarLengthArray<SQLTCHAR> &result, const QString &input)
|
||
|
+{
|
||
|
+ do_append(result, input);
|
||
|
+}
|
||
|
+
|
||
|
+template <>
|
||
|
+void toSQLTCHARImpl<4>(QVarLengthArray<SQLTCHAR> &result, const QString &input)
|
||
|
+{
|
||
|
+ const auto u32 = input.toUcs4();
|
||
|
+ do_append(result, u32);
|
||
|
+}
|
||
|
+
|
||
|
inline static QVarLengthArray<SQLTCHAR> toSQLTCHAR(const QString &input)
|
||
|
{
|
||
|
QVarLengthArray<SQLTCHAR> result;
|
||
|
- result.resize(input.size());
|
||
|
- switch(sizeof(SQLTCHAR)) {
|
||
|
- case 1:
|
||
|
- memcpy(result.data(), input.toUtf8().data(), input.size());
|
||
|
- break;
|
||
|
- case 2:
|
||
|
- memcpy(result.data(), input.unicode(), input.size() * 2);
|
||
|
- break;
|
||
|
- case 4:
|
||
|
- memcpy(result.data(), input.toUcs4().data(), input.size() * 4);
|
||
|
- break;
|
||
|
- default:
|
||
|
- qCritical("sizeof(SQLTCHAR) is %d. Don't know how to handle this.", int(sizeof(SQLTCHAR)));
|
||
|
- }
|
||
|
+ toSQLTCHARImpl(result, input);
|
||
|
result.append(0); // make sure it's null terminated, doesn't matter if it already is, it does if it isn't.
|
||
|
return result;
|
||
|
}
|
||
|
@@ -729,6 +745,14 @@ QChar QODBCDriverPrivate::quoteChar()
|
||
|
return quote;
|
||
|
}
|
||
|
|
||
|
+static SQLRETURN qt_string_SQLSetConnectAttr(SQLHDBC handle, SQLINTEGER attr, const QString &val)
|
||
|
+{
|
||
|
+ auto encoded = toSQLTCHAR(val);
|
||
|
+ return SQLSetConnectAttr(handle, attr,
|
||
|
+ encoded.data(),
|
||
|
+ SQLINTEGER(encoded.size() * sizeof(SQLTCHAR))); // size in bytes
|
||
|
+}
|
||
|
+
|
||
|
|
||
|
bool QODBCDriverPrivate::setConnectionOptions(const QString& connOpts)
|
||
|
{
|
||
|
@@ -764,10 +788,7 @@ bool QODBCDriverPrivate::setConnectionOptions(const QString& connOpts)
|
||
|
v = val.toUInt();
|
||
|
r = SQLSetConnectAttr(hDbc, SQL_ATTR_LOGIN_TIMEOUT, (SQLPOINTER) size_t(v), 0);
|
||
|
} else if (opt.toUpper() == "SQL_ATTR_CURRENT_CATALOG"_L1) {
|
||
|
- val.utf16(); // 0 terminate
|
||
|
- r = SQLSetConnectAttr(hDbc, SQL_ATTR_CURRENT_CATALOG,
|
||
|
- toSQLTCHAR(val).data(),
|
||
|
- SQLINTEGER(val.length() * sizeof(SQLTCHAR)));
|
||
|
+ r = qt_string_SQLSetConnectAttr(hDbc, SQL_ATTR_CURRENT_CATALOG, val);
|
||
|
} else if (opt.toUpper() == "SQL_ATTR_METADATA_ID"_L1) {
|
||
|
if (val.toUpper() == "SQL_TRUE"_L1) {
|
||
|
v = SQL_TRUE;
|
||
|
@@ -782,10 +803,7 @@ bool QODBCDriverPrivate::setConnectionOptions(const QString& connOpts)
|
||
|
v = val.toUInt();
|
||
|
r = SQLSetConnectAttr(hDbc, SQL_ATTR_PACKET_SIZE, (SQLPOINTER) size_t(v), 0);
|
||
|
} else if (opt.toUpper() == "SQL_ATTR_TRACEFILE"_L1) {
|
||
|
- val.utf16(); // 0 terminate
|
||
|
- r = SQLSetConnectAttr(hDbc, SQL_ATTR_TRACEFILE,
|
||
|
- toSQLTCHAR(val).data(),
|
||
|
- SQLINTEGER(val.length() * sizeof(SQLTCHAR)));
|
||
|
+ r = qt_string_SQLSetConnectAttr(hDbc, SQL_ATTR_TRACEFILE, val);
|
||
|
} else if (opt.toUpper() == "SQL_ATTR_TRACE"_L1) {
|
||
|
if (val.toUpper() == "SQL_OPT_TRACE_OFF"_L1) {
|
||
|
v = SQL_OPT_TRACE_OFF;
|
||
|
@@ -988,9 +1006,12 @@ bool QODBCResult::reset (const QString& query)
|
||
|
return false;
|
||
|
}
|
||
|
|
||
|
- r = SQLExecDirect(d->hStmt,
|
||
|
- toSQLTCHAR(query).data(),
|
||
|
- (SQLINTEGER) query.length());
|
||
|
+ {
|
||
|
+ auto encoded = toSQLTCHAR(query);
|
||
|
+ r = SQLExecDirect(d->hStmt,
|
||
|
+ encoded.data(),
|
||
|
+ SQLINTEGER(encoded.size()));
|
||
|
+ }
|
||
|
if (r != SQL_SUCCESS && r != SQL_SUCCESS_WITH_INFO && r!= SQL_NO_DATA) {
|
||
|
setLastError(qMakeError(QCoreApplication::translate("QODBCResult",
|
||
|
"Unable to execute statement"), QSqlError::StatementError, d));
|
||
|
@@ -1339,9 +1360,12 @@ bool QODBCResult::prepare(const QString& query)
|
||
|
return false;
|
||
|
}
|
||
|
|
||
|
- r = SQLPrepare(d->hStmt,
|
||
|
- toSQLTCHAR(query).data(),
|
||
|
- (SQLINTEGER) query.length());
|
||
|
+ {
|
||
|
+ auto encoded = toSQLTCHAR(query);
|
||
|
+ r = SQLPrepare(d->hStmt,
|
||
|
+ encoded.data(),
|
||
|
+ SQLINTEGER(encoded.size()));
|
||
|
+ }
|
||
|
|
||
|
if (r != SQL_SUCCESS) {
|
||
|
setLastError(qMakeError(QCoreApplication::translate("QODBCResult",
|
||
|
@@ -1369,7 +1393,7 @@ bool QODBCResult::exec()
|
||
|
SQLCloseCursor(d->hStmt);
|
||
|
|
||
|
QVariantList &values = boundValues();
|
||
|
- QByteArrayList tmpStorage(values.count(), QByteArray()); // holds temporary buffers
|
||
|
+ QByteArrayList tmpStorage(values.count(), QByteArray()); // targets for SQLBindParameter()
|
||
|
QVarLengthArray<SQLLEN, 32> indicators(values.count());
|
||
|
memset(indicators.data(), 0, indicators.size() * sizeof(SQLLEN));
|
||
|
|
||
|
@@ -1584,36 +1608,36 @@ bool QODBCResult::exec()
|
||
|
case QMetaType::QString:
|
||
|
if (d->unicode) {
|
||
|
QByteArray &ba = tmpStorage[i];
|
||
|
- QString str = val.toString();
|
||
|
+ {
|
||
|
+ const auto encoded = toSQLTCHAR(val.toString());
|
||
|
+ ba = QByteArray(reinterpret_cast<const char *>(encoded.data()),
|
||
|
+ encoded.size() * sizeof(SQLTCHAR));
|
||
|
+ }
|
||
|
+
|
||
|
if (*ind != SQL_NULL_DATA)
|
||
|
- *ind = str.length() * sizeof(SQLTCHAR);
|
||
|
- const qsizetype strSize = str.length() * sizeof(SQLTCHAR);
|
||
|
+ *ind = ba.size();
|
||
|
|
||
|
if (bindValueType(i) & QSql::Out) {
|
||
|
- const QVarLengthArray<SQLTCHAR> a(toSQLTCHAR(str));
|
||
|
- ba = QByteArray((const char *)a.constData(), int(a.size() * sizeof(SQLTCHAR)));
|
||
|
r = SQLBindParameter(d->hStmt,
|
||
|
i + 1,
|
||
|
qParamType[bindValueType(i) & QSql::InOut],
|
||
|
SQL_C_TCHAR,
|
||
|
- strSize > 254 ? SQL_WLONGVARCHAR : SQL_WVARCHAR,
|
||
|
+ ba.size() > 254 ? SQL_WLONGVARCHAR : SQL_WVARCHAR,
|
||
|
0, // god knows... don't change this!
|
||
|
0,
|
||
|
- ba.data(),
|
||
|
+ const_cast<char *>(ba.constData()), // don't detach
|
||
|
ba.size(),
|
||
|
ind);
|
||
|
break;
|
||
|
}
|
||
|
- ba = QByteArray(reinterpret_cast<const char *>(toSQLTCHAR(str).constData()),
|
||
|
- int(strSize));
|
||
|
r = SQLBindParameter(d->hStmt,
|
||
|
i + 1,
|
||
|
qParamType[bindValueType(i) & QSql::InOut],
|
||
|
SQL_C_TCHAR,
|
||
|
- strSize > 254 ? SQL_WLONGVARCHAR : SQL_WVARCHAR,
|
||
|
- strSize,
|
||
|
+ ba.size() > 254 ? SQL_WLONGVARCHAR : SQL_WVARCHAR,
|
||
|
+ ba.size(),
|
||
|
0,
|
||
|
- const_cast<char *>(ba.constData()),
|
||
|
+ const_cast<char *>(ba.constData()), // don't detach
|
||
|
ba.size(),
|
||
|
ind);
|
||
|
break;
|
||
|
@@ -1974,14 +1998,16 @@ bool QODBCDriver::open(const QString & db,
|
||
|
SQLSMALLINT cb;
|
||
|
QVarLengthArray<SQLTCHAR> connOut(1024);
|
||
|
memset(connOut.data(), 0, connOut.size() * sizeof(SQLTCHAR));
|
||
|
- r = SQLDriverConnect(d->hDbc,
|
||
|
- NULL,
|
||
|
- toSQLTCHAR(connQStr).data(),
|
||
|
- (SQLSMALLINT)connQStr.length(),
|
||
|
- connOut.data(),
|
||
|
- 1024,
|
||
|
- &cb,
|
||
|
- /*SQL_DRIVER_NOPROMPT*/0);
|
||
|
+ {
|
||
|
+ auto encoded = toSQLTCHAR(connQStr);
|
||
|
+ r = SQLDriverConnect(d->hDbc,
|
||
|
+ nullptr,
|
||
|
+ encoded.data(), SQLSMALLINT(encoded.size()),
|
||
|
+ connOut.data(),
|
||
|
+ 1024,
|
||
|
+ &cb,
|
||
|
+ /*SQL_DRIVER_NOPROMPT*/0);
|
||
|
+ }
|
||
|
|
||
|
if (r != SQL_SUCCESS && r != SQL_SUCCESS_WITH_INFO) {
|
||
|
setLastError(qMakeError(tr("Unable to connect"), QSqlError::ConnectionError, d));
|
||
|
@@ -2360,17 +2386,15 @@ QStringList QODBCDriver::tables(QSql::TableType type) const
|
||
|
if (tableType.isEmpty())
|
||
|
return tl;
|
||
|
|
||
|
- QString joinedTableTypeString = tableType.join(u',');
|
||
|
+ {
|
||
|
+ auto joinedTableTypeString = toSQLTCHAR(tableType.join(u','));
|
||
|
|
||
|
- r = SQLTables(hStmt,
|
||
|
- NULL,
|
||
|
- 0,
|
||
|
- NULL,
|
||
|
- 0,
|
||
|
- NULL,
|
||
|
- 0,
|
||
|
- toSQLTCHAR(joinedTableTypeString).data(),
|
||
|
- joinedTableTypeString.length() /* characters, not bytes */);
|
||
|
+ r = SQLTables(hStmt,
|
||
|
+ nullptr, 0,
|
||
|
+ nullptr, 0,
|
||
|
+ nullptr, 0,
|
||
|
+ joinedTableTypeString.data(), joinedTableTypeString.size());
|
||
|
+ }
|
||
|
|
||
|
if (r != SQL_SUCCESS)
|
||
|
qSqlWarning("QODBCDriver::tables Unable to execute table list"_L1, d);
|
||
|
@@ -2443,28 +2467,30 @@ QSqlIndex QODBCDriver::primaryIndex(const QString& tablename) const
|
||
|
SQL_ATTR_CURSOR_TYPE,
|
||
|
(SQLPOINTER)SQL_CURSOR_FORWARD_ONLY,
|
||
|
SQL_IS_UINTEGER);
|
||
|
- r = SQLPrimaryKeys(hStmt,
|
||
|
- catalog.length() == 0 ? NULL : toSQLTCHAR(catalog).data(),
|
||
|
- catalog.length(),
|
||
|
- schema.length() == 0 ? NULL : toSQLTCHAR(schema).data(),
|
||
|
- schema.length(),
|
||
|
- toSQLTCHAR(table).data(),
|
||
|
- table.length() /* in characters, not in bytes */);
|
||
|
+ {
|
||
|
+ auto c = toSQLTCHAR(catalog);
|
||
|
+ auto s = toSQLTCHAR(schema);
|
||
|
+ auto t = toSQLTCHAR(table);
|
||
|
+ r = SQLPrimaryKeys(hStmt,
|
||
|
+ catalog.isEmpty() ? nullptr : c.data(), c.size(),
|
||
|
+ schema.isEmpty() ? nullptr : s.data(), s.size(),
|
||
|
+ t.data(), t.size());
|
||
|
+ }
|
||
|
|
||
|
// if the SQLPrimaryKeys() call does not succeed (e.g the driver
|
||
|
// does not support it) - try an alternative method to get hold of
|
||
|
// the primary index (e.g MS Access and FoxPro)
|
||
|
if (r != SQL_SUCCESS) {
|
||
|
- r = SQLSpecialColumns(hStmt,
|
||
|
- SQL_BEST_ROWID,
|
||
|
- catalog.length() == 0 ? NULL : toSQLTCHAR(catalog).data(),
|
||
|
- catalog.length(),
|
||
|
- schema.length() == 0 ? NULL : toSQLTCHAR(schema).data(),
|
||
|
- schema.length(),
|
||
|
- toSQLTCHAR(table).data(),
|
||
|
- table.length(),
|
||
|
- SQL_SCOPE_CURROW,
|
||
|
- SQL_NULLABLE);
|
||
|
+ auto c = toSQLTCHAR(catalog);
|
||
|
+ auto s = toSQLTCHAR(schema);
|
||
|
+ auto t = toSQLTCHAR(table);
|
||
|
+ r = SQLSpecialColumns(hStmt,
|
||
|
+ SQL_BEST_ROWID,
|
||
|
+ catalog.isEmpty() ? nullptr : c.data(), c.size(),
|
||
|
+ schema.isEmpty() ? nullptr : s.data(), s.size(),
|
||
|
+ t.data(), t.size(),
|
||
|
+ SQL_SCOPE_CURROW,
|
||
|
+ SQL_NULLABLE);
|
||
|
|
||
|
if (r != SQL_SUCCESS) {
|
||
|
qSqlWarning("QODBCDriver::primaryIndex: Unable to execute primary key list"_L1, d);
|
||
|
@@ -2545,15 +2571,17 @@ QSqlRecord QODBCDriver::record(const QString& tablename) const
|
||
|
SQL_ATTR_CURSOR_TYPE,
|
||
|
(SQLPOINTER)SQL_CURSOR_FORWARD_ONLY,
|
||
|
SQL_IS_UINTEGER);
|
||
|
- r = SQLColumns(hStmt,
|
||
|
- catalog.length() == 0 ? NULL : toSQLTCHAR(catalog).data(),
|
||
|
- catalog.length(),
|
||
|
- schema.length() == 0 ? NULL : toSQLTCHAR(schema).data(),
|
||
|
- schema.length(),
|
||
|
- toSQLTCHAR(table).data(),
|
||
|
- table.length(),
|
||
|
- NULL,
|
||
|
- 0);
|
||
|
+ {
|
||
|
+ auto c = toSQLTCHAR(catalog);
|
||
|
+ auto s = toSQLTCHAR(schema);
|
||
|
+ auto t = toSQLTCHAR(table);
|
||
|
+ r = SQLColumns(hStmt,
|
||
|
+ catalog.isEmpty() ? nullptr : c.data(), c.size(),
|
||
|
+ schema.isEmpty() ? nullptr : s.data(), s.size(),
|
||
|
+ t.data(), t.size(),
|
||
|
+ nullptr,
|
||
|
+ 0);
|
||
|
+ }
|
||
|
if (r != SQL_SUCCESS)
|
||
|
qSqlWarning("QODBCDriver::record: Unable to execute column list"_L1, d);
|