Fix out-of-memory crash with malformed ssh keys

* Reported by Oblivionsage - thank you!
2025-12-04 15:39:34 +01:00 · 2025-11-01 10:18:58 -04:00
parent 1a7992cc57
commit 41b2a9bb60
3 changed files with 32 additions and 8 deletions
--- a/share/translations/keepassxc_en.ts
+++ b/share/translations/keepassxc_en.ts
@@ -876,6 +876,17 @@ Ctrl+Shift+4 - Copy URL&lt;br/&gt;
        <translation type="unfinished"></translation>
    </message>
 </context>
+<context>
+    <name>BinaryStream</name>
+    <message>
+        <source>Failed to read string data: %1</source>
+        <translation type="unfinished"></translation>
+    </message>
+    <message>
+        <source>String length exceeds 10 MiB limit (requested %1)</source>
+        <translation type="unfinished"></translation>
+    </message>
+</context>
 <context>
    <name>BrowserAccessControlDialog</name>
    <message>
@@ -6387,10 +6398,6 @@ Expect some bugs and minor issues, this version is meant for testing purposes.</
        <source>Found zero keys</source>
        <translation type="unfinished"></translation>
    </message>
-    <message>
-        <source>Failed to read public key.</source>
-        <translation type="unfinished"></translation>
-    </message>
    <message>
        <source>Corrupted key file, reading private key failed</source>
        <translation type="unfinished"></translation>
@@ -6475,6 +6482,14 @@ Expect some bugs and minor issues, this version is meant for testing purposes.</
        <source>(encrypted)</source>
        <translation type="unfinished"></translation>
    </message>
+    <message>
+        <source>Failed to read key file: %1</source>
+        <translation type="unfinished"></translation>
+    </message>
+    <message>
+        <source>Failed to read public key: %1</source>
+        <translation type="unfinished"></translation>
+    </message>
    <message>
        <source>AES-256/GCM is currently not supported</source>
        <translation type="unfinished"></translation>
--- a/src/sshagent/BinaryStream.cpp
+++ b/src/sshagent/BinaryStream.cpp
@@ -17,6 +17,7 @@
 */

 #include "BinaryStream.h"
+#include "core/Tools.h"
 #include <QtEndian>

 BinaryStream::BinaryStream(QIODevice* device)
@@ -116,9 +117,16 @@ bool BinaryStream::readString(QByteArray& ba)
        return false;
    }

+    // Don't attempt to read strings over 10 MiB
+    if (length > 1024 * 1024 * 10) {
+        m_error = tr("String length exceeds 10 MiB limit (requested %1)").arg(Tools::humanReadableFileSize(length, 0));
+        return false;
+    }
+
    ba.resize(length);

    if (!read(ba.data(), ba.length())) {
+        m_error = tr("Failed to read string data: %1").arg(m_device->errorString());
        return false;
    }

--- a/src/sshagent/OpenSSHKey.cpp
+++ b/src/sshagent/OpenSSHKey.cpp
@@ -247,9 +247,10 @@ bool OpenSSHKey::parsePKCS1PEM(const QByteArray& in)
            return false;
        }

-        stream.readString(m_cipherName);
-        stream.readString(m_kdfName);
-        stream.readString(m_kdfOptions);
+        if (!stream.readString(m_cipherName) || !stream.readString(m_kdfName) || !stream.readString(m_kdfOptions)) {
+            m_error = tr("Failed to read key file: %1").arg(stream.errorString());
+            return false;
+        }

        quint32 numberOfKeys;
        stream.read(numberOfKeys);
@@ -262,7 +263,7 @@ bool OpenSSHKey::parsePKCS1PEM(const QByteArray& in)
        for (quint32 i = 0; i < numberOfKeys; ++i) {
            QByteArray publicKey;
            if (!stream.readString(publicKey)) {
-                m_error = tr("Failed to read public key.");
+                m_error = tr("Failed to read public key: %1").arg(stream.errorString());
                return false;
            }