[Interest] Is it safe to use QDataStream to parse data from untrusted source?

Thiago Macieira thiago.macieira at intel.com
Fri May 13 15:26:19 CEST 2022


On Thursday, 12 May 2022 12:41:54 MDT Alexander Dyagilev wrote:
> Thank you for the response!
> 
> Is it also true for Qt 5.12? I mean, was CBOR parser of it tested by the
> Google Fuzzer project?

I don't remember when we started, but we treat all parsing issues that lead to 
crashes or anything worse as security issues and fix retroactively. Since 5.12 
is and has been closed for a while now, it may not have all the fixes; you 
should look at Qt's list of security issues and apply any remaining patches 
yourself.

-- 
Thiago Macieira - thiago.macieira (AT) intel.com
  Cloud Software Architect - Intel DCAI Cloud Engineering





More information about the Interest mailing list