[Development] QtCS2019 Notes from "Fuzzing Qt" BoF session
Edward Welbourne
edward.welbourne at qt.io
Fri Nov 22 19:11:27 CET 2019
Il 21/11/19 13:13, Robert Loehning ha scritto:
>> ** [https://doc.qt.io/qt-5/qregularexpression.html QRegularExpression]
Giuseppe D'Angelo (22 November 2019 18:17) replied:
> This should mostly be fuzzing libpcre itself...
... which Google is probably already doing.
> Note that users should NEVER use / accept untrusted regular expressions.
> While we shouldn't crash or exhaust memory, PCREs will happily exhibit
> exponential backtracking behaviour, thus exposing applications to DOS
> attacks. There's nothing we can do about that.
... and filtering out the halting problem isn't even amenable to any
dumb heuristics (like the for/while/... crippling of the JS evaluator
fuzzer).
Probably best to concentrate our efforts elsewhere ...
Eddy.
More information about the Development
mailing list