Fix out-of-memory crash with malformed ssh keys#12606
Merged
droidmonkey merged 1 commit intokeepassxreboot:developfrom Oct 28, 2025
Merged
Fix out-of-memory crash with malformed ssh keys#12606droidmonkey merged 1 commit intokeepassxreboot:developfrom
droidmonkey merged 1 commit intokeepassxreboot:developfrom
Conversation
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR fixes an out-of-memory crash caused by malformed SSH keys by adding validation and size limits when reading SSH key data.
Key changes:
- Adds a 10 MiB size limit check before attempting to read string data from SSH key files
- Improves error handling by checking return values from
readString()calls that were previously unchecked - Enhances error messages to include underlying error details for better debugging
Reviewed Changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| src/sshagent/BinaryStream.cpp | Added 10 MiB size limit validation and improved error messages when reading string data |
| src/sshagent/OpenSSHKey.cpp | Added error checking for previously unchecked readString() calls and enhanced error messages with stream error details |
| share/translations/keepassxc_en.ts | Updated translation files with new error messages and removed obsolete translation entry |
* Reported by Oblivionsage - thank you!
cf65e33 to
7dc51ae
Compare
|
Thanks for the quick fix! Looking forward to contributing more |
phoerious
approved these changes
Oct 28, 2025
dragonekii
pushed a commit
to dragonekii/keepassxc-custom
that referenced
this pull request
Dec 8, 2025
Release 2.7.11 (2025-11-23) - Add image, HTML, Markdown preview, and text editing support to inline attachment viewer [keepassxreboot#12085, keepassxreboot#12244, keepassxreboot#12654] - Add database merge confirmation dialog [keepassxreboot#10173] - Add option to auto-generate a password for new entries [keepassxreboot#12593] - Add support for group sync in KeeShare [keepassxreboot#11593] - Add {UUID} placeholder for use in references [keepassxreboot#12511] - Add “Wait for Enter” search option [keepassxreboot#12263] - Add keyboard shortcut to “Jump to Group” from search results [keepassxreboot#12225] - Add predefined search for TOTP entries [keepassxreboot#12199] - Add confirmation when closing database via ESC key [keepassxreboot#11963] - Add support for escaping placeholder expressions [keepassxreboot#11904] - Reduce tab indentation width in notes fields [keepassxreboot#11919] - Cap default Argon2 parallelism when creating a new database [keepassxreboot#11853] - Database lock after inactivity now enabled by default and set to 900 seconds [keepassxreboot#12689, keepassxreboot#12609] - Copying TOTP now opens setup dialog if none is configured for entry [keepassxreboot#12584] - Make double click action configurable [keepassxreboot#12322] - Remove unused “Last Accessed” from GUI [keepassxreboot#12602] - Auto-Type: Add more granular confirmation settings [keepassxreboot#12370] - Auto-Type: Add URL typing preset and add copy options to menu [keepassxreboot#12341] - Browser: Do not allow sites automatically if entry added from browser extension [keepassxreboot#12413] - Browser: Add options to restrict exposed groups [keepassxreboot#9852, keepassxreboot#12119] - Bitwarden Import: Add support for timestamps and password history [keepassxreboot#12588] - macOS: Add Liquid Glass icon [keepassxreboot#12642] - macOS: Remove theme-based menubar icon toggle [keepassxreboot#12685] - macOS: Add Window and Help menus [keepassxreboot#12357] - Windows: Add option to add KeePassXC to PATH during installation [keepassxreboot#12171] - Fix window geometry not being restored properly when KeePassXC starts in tray [keepassxreboot#12683] - Fix potential database truncation when using direct write save method with YubiKeys [keepassxreboot#11841] - Fix issue with database backup saving [keepassxreboot#11874] - Fix UI lockups during startup with multiple tabs [keepassxreboot#12053] - Fix keyboard shortcuts when menubar is hidden [keepassxreboot#12431] - Fix clipboard being cleared on exit even if no password was copied [keepassxreboot#12603] - Fix single-instance detection when username contains invalid filename characters [keepassxreboot#12559] - Fix “Search Wait for Enter” setting not being save [keepassxreboot#12614] - Fix hotkey accelerators not being escaped properly on database tabs [keepassxreboot#12630] - Fix confusing error if user cancels out of key file edit dialog [keepassxreboot#12639] - Fix issues with saved searches and “Press Enter to Search” option [keepassxreboot#12314] - Fix URL wildcard matching [keepassxreboot#12257] - Fix TOTP visibility on unlock and settings change [keepassxreboot#12220] - Fix KeeShare entries with reference attributes not updating [keepassxreboot#11809] - Fix sort order not being maintained when toggling filters in database reports [keepassxreboot#11849] - Fix several UI font and layout issues [keepassxreboot#11967, keepassxreboot#12102] - Prevent mouse wheel scroll on edit username field [keepassxreboot#12398] - Improve base translation consistency [keepassxreboot#12432] - Improve inactivity timer [keepassxreboot#12246] - Documentation improvements [keepassxreboot#12373, keepassxreboot#12506] - Browser: Fix ordering of clientDataJSON in Passkey response object [keepassxreboot#12120] - Browser: Fix URL matching for additional URLs [keepassxreboot#12196] - Browser: Fix group settings inheritance [keepassxreboot#12368] - Browser: Allow read-only native messaging config files [keepassxreboot#12236] - Browser: Optimise entry iteration in browser access control dialog [keepassxreboot#11817] - Browser: Fix “Do not ask permission for HTTP Basic Auth” option [keepassxreboot#11871] - Browser: Fix native messaging path for Tor Browser launcher on Linux [keepassxreboot#12005] - Auto-Type: Fix empty window behaviour [keepassxreboot#12622] - Auto-Type: Take delays into account when typing TOTP [keepassxreboot#12691] - SSH Agent: Fix out-of-memory crash with malformed SSH keys [keepassxreboot#12606] - CSV Import: Fix modified and creation time import [keepassxreboot#12379] - CSV Import: Fix duplication of root groups on import [keepassxreboot#12240] - Proton Pass Import: Fix email addresses not being imported when no username set [keepassxreboot#11888] - macOS: Fix secure input getting stuck [keepassxreboot#11928] - Windows: Prevent launch as SYSTEM user from MSI installer [keepassxreboot#12705] - Windows: Remove broken check for MSVC Redistributable from MSI installer [keepassxreboot#11950] - Linux: Fix startup delay due to StartupNotify setting in desktop file [keepassxreboot#12306] - Linux: Fix memory initialisation when --pw-stdin is used with a pipe [keepassxreboot#12050]
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Screenshots
Testing strategy
Tested with proof of concept malformed key provided by @obliviansage
Type of change