On 07/07/2016 10:19, Markus Armbruster wrote: > Actually, you should either prove that untrusted input still cannot make > us allocated unbounded amounts of memory, or bring the limit right back.
This is not where untrusted input can be blocked from allocating unbounded memory---that would be QmpOutputVisitor, which converts a stream of visitor calls into a QObject. The QmpInputVisitor's allocation depth is bounded by the number of levels in the incoming QObject, so a QmpInputVisitor cannot allocate more memory than whatever has been allocated already by QEMU. In addition, QmpOutputVisitor allocates memory not just for the stack but also a QObject for every *value*. So you can make QmpOutputVisitor allocate unbounded memory even with a single huge QDict. Paolo
