From 298d4016494dfdf21396769c451edab2595e9f5d Mon Sep 17 00:00:00 2001 From: Jonathan White Date: Mon, 27 Oct 2025 20:49:24 -0400 Subject: [PATCH] Fix out-of-memory crash with malformed ssh keys * Reported by Oblivionsage - thank you! --- share/translations/keepassxc_en.ts | 23 +++++++++++++++++++---- src/sshagent/BinaryStream.cpp | 8 ++++++++ src/sshagent/OpenSSHKey.cpp | 9 +++++---- 3 files changed, 32 insertions(+), 8 deletions(-) diff --git a/share/translations/keepassxc_en.ts b/share/translations/keepassxc_en.ts index 34a1abe40..8b3026950 100644 --- a/share/translations/keepassxc_en.ts +++ b/share/translations/keepassxc_en.ts @@ -876,6 +876,17 @@ Ctrl+Shift+4 - Copy URL<br/> + + BinaryStream + + Failed to read string data: %1 + + + + String length exceeds 10 MiB limit (requested %1) + + + BrowserAccessControlDialog @@ -6694,10 +6705,6 @@ Expect some bugs and minor issues, this version is meant for testing purposes.Found zero keys - - Failed to read public key. - - Corrupted key file, reading private key failed @@ -6786,6 +6793,14 @@ Expect some bugs and minor issues, this version is meant for testing purposes.(encrypted) + + Failed to read key file: %1 + + + + Failed to read public key: %1 + + OpenSSHKeyGenDialog diff --git a/src/sshagent/BinaryStream.cpp b/src/sshagent/BinaryStream.cpp index 2ac93943c..4c67a5165 100644 --- a/src/sshagent/BinaryStream.cpp +++ b/src/sshagent/BinaryStream.cpp @@ -17,6 +17,7 @@ */ #include "BinaryStream.h" +#include "core/Tools.h" #include BinaryStream::BinaryStream(QIODevice* device) @@ -116,9 +117,16 @@ bool BinaryStream::readString(QByteArray& ba) return false; } + // Don't attempt to read strings over 10 MiB + if (length > 1024 * 1024 * 10) { + m_error = tr("String length exceeds 10 MiB limit (requested %1)").arg(Tools::humanReadableFileSize(length, 0)); + return false; + } + ba.resize(length); if (!read(ba.data(), ba.length())) { + m_error = tr("Failed to read string data: %1").arg(m_device->errorString()); return false; } diff --git a/src/sshagent/OpenSSHKey.cpp b/src/sshagent/OpenSSHKey.cpp index 7df1c4287..4f8558596 100644 --- a/src/sshagent/OpenSSHKey.cpp +++ b/src/sshagent/OpenSSHKey.cpp @@ -312,9 +312,10 @@ bool OpenSSHKey::parsePKCS1PEM(const QByteArray& in) return false; } - stream.readString(m_cipherName); - stream.readString(m_kdfName); - stream.readString(m_kdfOptions); + if (!stream.readString(m_cipherName) || !stream.readString(m_kdfName) || !stream.readString(m_kdfOptions)) { + m_error = tr("Failed to read key file: %1").arg(stream.errorString()); + return false; + } quint32 numberOfKeys; stream.read(numberOfKeys); @@ -327,7 +328,7 @@ bool OpenSSHKey::parsePKCS1PEM(const QByteArray& in) for (quint32 i = 0; i < numberOfKeys; ++i) { QByteArray publicKey; if (!stream.readString(publicKey)) { - m_error = tr("Failed to read public key."); + m_error = tr("Failed to read public key: %1").arg(stream.errorString()); return false; }