Qt QDom Complex Algorithm Vulnerability in XML Processing

A vulnerability exists in the QDom component of Qt versions prior to 6.8.0, where the 'encodeText' function employs a complex algorithm for XML string processing. This algorithm involves copying the entire string and making inline replacements, which can lead to inefficiencies by requiring the relocation of data after each modification. The issue causes a significant slowdown in performance, particularly in Qt 6, where the 'encodeText' function is called more frequently, exacerbating the problem.

Impact

The vulnerability introduces a performance regression in XML processing, particularly in Qt 6, where it significantly slows down operations that involve the 'encodeText' function.

Reproduction

The vulnerability can be reproduced by using Qt versions prior to 6.8.0 and calling the 'encodeText' function in the QDom component. This can be done by creating an XML string that requires encoding, which will trigger the inefficient string processing algorithm. The performance impact can be observed by timing the operation, especially in Qt 6, where the slowdown is more pronounced.

Remediation

Users can upgrade to Qt version 6.8.0 or later, where this vulnerability has been addressed. For those using Qt 5.15, a manual patch is available.