[Development] QtCS2019 Notes from "Fuzzing Qt" BoF session
Robert Loehning
Robert.Loehning at qt.io
Mon Dec 2 13:16:20 CET 2019
Am 22.11.2019 um 19:11 schrieb Edward Welbourne:
> Il 21/11/19 13:13, Robert Loehning ha scritto:
>>> ** [https://doc.qt.io/qt-5/qregularexpression.html QRegularExpression]
>
> Giuseppe D'Angelo (22 November 2019 18:17) replied:
>> This should mostly be fuzzing libpcre itself...
>
> ... which Google is probably already doing.
At least it seems to be on oss-fuzz as well:
https://github.com/google/oss-fuzz/tree/master/projects/pcre2
>> Note that users should NEVER use / accept untrusted regular expressions.
>> While we shouldn't crash or exhaust memory, PCREs will happily exhibit
>> exponential backtracking behaviour, thus exposing applications to DOS
>> attacks. There's nothing we can do about that.
>
> ... and filtering out the halting problem isn't even amenable to any
> dumb heuristics (like the for/while/... crippling of the JS evaluator
> fuzzer).
>
> Probably best to concentrate our efforts elsewhere ...
>
> Eddy.
> _______________________________________________
> Development mailing list
> Development at qt-project.org
> https://lists.qt-project.org/listinfo/development
>
More information about the Development
mailing list