[Development] QtCS2019 Notes from "Fuzzing Qt" BoF session

Edward Welbourne edward.welbourne at qt.io
Fri Nov 22 19:11:27 CET 2019

Il 21/11/19 13:13, Robert Loehning ha scritto:
>> ** [https://doc.qt.io/qt-5/qregularexpression.html  QRegularExpression]

Giuseppe D'Angelo (22 November 2019 18:17) replied:
> This should mostly be fuzzing libpcre itself...

... which Google is probably already doing.

> Note that users should NEVER use / accept untrusted regular expressions.
> While we shouldn't crash or exhaust memory, PCREs will happily exhibit
> exponential backtracking behaviour, thus exposing applications to DOS
> attacks. There's nothing we can do about that.

... and filtering out the halting problem isn't even amenable to any
dumb heuristics (like the for/while/... crippling of the JS evaluator

Probably best to concentrate our efforts elsewhere ...


More information about the Development mailing list