[Development] QtCS2019 Notes from "Fuzzing Qt" BoF session

André Somers andre at familiesomers.nl
Wed Nov 27 09:11:25 CET 2019


On 22/11/2019 18:17, Giuseppe D'Angelo via Development wrote:
> Il 21/11/19 13:13, Robert Loehning ha scritto:
>> ** [https://doc.qt.io/qt-5/qregularexpression.html QRegularExpression]
>
> This should mostly be fuzzing libpcre itself...
>
> Note that users should NEVER use / accept untrusted regular 
> expressions. While we shouldn't crash or exhaust memory, PCREs will 
> happily exhibit exponential backtracking behaviour, thus exposing 
> applications to DOS attacks. There's nothing we can do about that.

Just wondering how one would go about doing that in practice. Is this 
something QRegularExpression itself may be of assistance with, perhaps 
by esposing an API that can be used to identify if an expression 
contains potentially dangerous or heavy expressions?

André

>
> Thanks,
>
> _______________________________________________
> Development mailing list
> Development at qt-project.org
> https://lists.qt-project.org/listinfo/development
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.qt-project.org/pipermail/development/attachments/20191127/68c32eb4/attachment.html>


More information about the Development mailing list