1berry/qtbase
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Avoid size overflows when inserting into very large JSON objects

Browse Source 
QJson has a size limitation for arrays and objects. Make sure we
don't go over that size limit and create corrupt objects when
inserting data.

Change-Id: I45be3caefc282d8041f38acd120b985ed4389b8c
Reviewed-by: Oswald Buddenhagen <oswald.buddenhagen@theqtcompany.com>
Reviewed-by: Simon Hausmann <simon.hausmann@theqtcompany.com>
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
This commit is contained in:
Lars Knoll 2015-03-18 08:49:39 +01:00 committed by Simon Hausmann
parent 6342fb2c3e
commit 03f1a69e9c
6 changed files with 62 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/corelib/json/qjson_p.h
View File

@ -788,7 +788,11 @@ public:
if (reserve) { if (reserve) {
if (reserve < 128) if (reserve < 128)
reserve = 128; reserve = 128;
size = qMax(size + reserve, size *2); size = qMax(size + reserve, qMin(size *2, (int)Value::MaxSize));
if (size > Value::MaxSize) {
qWarning("QJson: Document too large to store in data structure");
return 0;
}
} }
char *raw = (char *)malloc(size); char *raw = (char *)malloc(size);
Q_CHECK_PTR(raw); Q_CHECK_PTR(raw);

31
src/corelib/json/qjsonarray.cpp
View File

@ -382,7 +382,7 @@ void QJsonArray::removeAt(int i)
if (!a || i < 0 || i >= (int)a->length) if (!a || i < 0 || i >= (int)a->length)
return; return;
detach(); detach2();
a->removeItems(i, 1); a->removeItems(i, 1);
++d->compactionCounter; ++d->compactionCounter;
if (d->compactionCounter > 32u && d->compactionCounter >= unsigned(a->length) / 2u) if (d->compactionCounter > 32u && d->compactionCounter >= unsigned(a->length) / 2u)
@ -442,7 +442,8 @@ void QJsonArray::insert(int i, const QJsonValue &value)
bool compressed; bool compressed;
int valueSize = QJsonPrivate::Value::requiredStorage(val, &compressed); int valueSize = QJsonPrivate::Value::requiredStorage(val, &compressed);
detach(valueSize + sizeof(QJsonPrivate::Value)); if (!detach2(valueSize + sizeof(QJsonPrivate::Value)))
return;
if (!a->length) if (!a->length)
a->tableOffset = sizeof(QJsonPrivate::Array); a->tableOffset = sizeof(QJsonPrivate::Array);
@ -492,7 +493,8 @@ void QJsonArray::replace(int i, const QJsonValue &value)
bool compressed; bool compressed;
int valueSize = QJsonPrivate::Value::requiredStorage(val, &compressed); int valueSize = QJsonPrivate::Value::requiredStorage(val, &compressed);
detach(valueSize); if (!detach2(valueSize))
return;
if (!a->length) if (!a->length)
a->tableOffset = sizeof(QJsonPrivate::Array); a->tableOffset = sizeof(QJsonPrivate::Array);
@ -1122,22 +1124,39 @@ bool QJsonArray::operator!=(const QJsonArray &other) const
\internal \internal
*/ */
void QJsonArray::detach(uint reserve) void QJsonArray::detach(uint reserve)
{
Q_UNUSED(reserve)
Q_ASSERT(!reserve);
detach2(0);
}
/*!
\internal
*/
bool QJsonArray::detach2(uint reserve)
{ {
if (!d) { if (!d) {
if (reserve >= QJsonPrivate::Value::MaxSize) {
qWarning("QJson: Document too large to store in data structure");
return false;
}
d = new QJsonPrivate::Data(reserve, QJsonValue::Array); d = new QJsonPrivate::Data(reserve, QJsonValue::Array);
a = static_cast<QJsonPrivate::Array *>(d->header->root()); a = static_cast<QJsonPrivate::Array *>(d->header->root());
d->ref.ref(); d->ref.ref();
return; return true;
} }
if (reserve == 0 && d->ref.load() == 1) if (reserve == 0 && d->ref.load() == 1)
return; return true;
QJsonPrivate::Data *x = d->clone(a, reserve); QJsonPrivate::Data *x = d->clone(a, reserve);
if (!x)
return false;
x->ref.ref(); x->ref.ref();
if (!d->ref.deref()) if (!d->ref.deref())
delete d; delete d;
d = x; d = x;
a = static_cast<QJsonPrivate::Array *>(d->header->root()); a = static_cast<QJsonPrivate::Array *>(d->header->root());
return true;
} }
/*! /*!
@ -1148,7 +1167,7 @@ void QJsonArray::compact()
if (!d || !d->compactionCounter) if (!d || !d->compactionCounter)
return; return;
detach(); detach2();
d->compact(); d->compact();
a = static_cast<QJsonPrivate::Array *>(d->header->root()); a = static_cast<QJsonPrivate::Array *>(d->header->root());
} }

6
src/corelib/json/qjsonarray.h
View File

@ -185,10 +185,10 @@ public:
friend class const_iterator; friend class const_iterator;
// stl style // stl style
inline iterator begin() { detach(); return iterator(this, 0); } inline iterator begin() { detach2(); return iterator(this, 0); }
inline const_iterator begin() const { return const_iterator(this, 0); } inline const_iterator begin() const { return const_iterator(this, 0); }
inline const_iterator constBegin() const { return const_iterator(this, 0); } inline const_iterator constBegin() const { return const_iterator(this, 0); }
inline iterator end() { detach(); return iterator(this, size()); } inline iterator end() { detach2(); return iterator(this, size()); }
inline const_iterator end() const { return const_iterator(this, size()); } inline const_iterator end() const { return const_iterator(this, size()); }
inline const_iterator constEnd() const { return const_iterator(this, size()); } inline const_iterator constEnd() const { return const_iterator(this, size()); }
iterator insert(iterator before, const QJsonValue &value) { insert(before.i, value); return before; } iterator insert(iterator before, const QJsonValue &value) { insert(before.i, value); return before; }
@ -229,7 +229,9 @@ private:
QJsonArray(QJsonPrivate::Data *data, QJsonPrivate::Array *array); QJsonArray(QJsonPrivate::Data *data, QJsonPrivate::Array *array);
void initialize(); void initialize();
void compact(); void compact();
// ### Qt 6: remove me and merge with detach2
void detach(uint reserve = 0); void detach(uint reserve = 0);
bool detach2(uint reserve = 0);
QJsonPrivate::Data *d; QJsonPrivate::Data *d;
QJsonPrivate::Array *a; QJsonPrivate::Array *a;

4
src/corelib/json/qjsondocument.cpp
View File

@ -482,7 +482,7 @@ void QJsonDocument::setObject(const QJsonObject &object)
if (d->compactionCounter) if (d->compactionCounter)
o.compact(); o.compact();
else else
o.detach(); o.detach2();
d = o.d; d = o.d;
d->ref.ref(); d->ref.ref();
return; return;
@ -509,7 +509,7 @@ void QJsonDocument::setArray(const QJsonArray &array)
if (d->compactionCounter) if (d->compactionCounter)
a.compact(); a.compact();
else else
a.detach(); a.detach2();
d = a.d; d = a.d;
d->ref.ref(); d->ref.ref();
return; return;

29
src/corelib/json/qjsonobject.cpp
View File

@ -389,7 +389,8 @@ QJsonObject::iterator QJsonObject::insert(const QString &key, const QJsonValue &
int valueOffset = sizeof(QJsonPrivate::Entry) + QJsonPrivate::qStringSize(key, latinKey); int valueOffset = sizeof(QJsonPrivate::Entry) + QJsonPrivate::qStringSize(key, latinKey);
int requiredSize = valueOffset + valueSize; int requiredSize = valueOffset + valueSize;
detach(requiredSize + sizeof(QJsonPrivate::offset)); // offset for the new index entry if (!detach2(requiredSize + sizeof(QJsonPrivate::offset))) // offset for the new index entry
return iterator();
if (!o->length) if (!o->length)
o->tableOffset = sizeof(QJsonPrivate::Object); o->tableOffset = sizeof(QJsonPrivate::Object);
@ -433,7 +434,7 @@ void QJsonObject::remove(const QString &key)
if (!keyExists) if (!keyExists)
return; return;
detach(); detach2();
o->removeItems(index, 1); o->removeItems(index, 1);
++d->compactionCounter; ++d->compactionCounter;
if (d->compactionCounter > 32u && d->compactionCounter >= unsigned(o->length) / 2u) if (d->compactionCounter > 32u && d->compactionCounter >= unsigned(o->length) / 2u)
@ -460,7 +461,7 @@ QJsonValue QJsonObject::take(const QString &key)
return QJsonValue(QJsonValue::Undefined); return QJsonValue(QJsonValue::Undefined);
QJsonValue v(d, o, o->entryAt(index)->value); QJsonValue v(d, o, o->entryAt(index)->value);
detach(); detach2();
o->removeItems(index, 1); o->removeItems(index, 1);
++d->compactionCounter; ++d->compactionCounter;
if (d->compactionCounter > 32u && d->compactionCounter >= unsigned(o->length) / 2u) if (d->compactionCounter > 32u && d->compactionCounter >= unsigned(o->length) / 2u)
@ -554,7 +555,7 @@ QJsonObject::iterator QJsonObject::find(const QString &key)
int index = o ? o->indexOf(key, &keyExists) : 0; int index = o ? o->indexOf(key, &keyExists) : 0;
if (!keyExists) if (!keyExists)
return end(); return end();
detach(); detach2();
return iterator(this, index); return iterator(this, index);
} }
@ -1060,22 +1061,36 @@ QJsonObject::const_iterator QJsonObject::constFind(const QString &key) const
\internal \internal
*/ */
void QJsonObject::detach(uint reserve) void QJsonObject::detach(uint reserve)
{
Q_UNUSED(reserve)
Q_ASSERT(!reserve);
detach2(reserve);
}
bool QJsonObject::detach2(uint reserve)
{ {
if (!d) { if (!d) {
if (reserve >= QJsonPrivate::Value::MaxSize) {
qWarning("QJson: Document too large to store in data structure");
return false;
}
d = new QJsonPrivate::Data(reserve, QJsonValue::Object); d = new QJsonPrivate::Data(reserve, QJsonValue::Object);
o = static_cast<QJsonPrivate::Object *>(d->header->root()); o = static_cast<QJsonPrivate::Object *>(d->header->root());
d->ref.ref(); d->ref.ref();
return; return true;
} }
if (reserve == 0 && d->ref.load() == 1) if (reserve == 0 && d->ref.load() == 1)
return; return true;
QJsonPrivate::Data *x = d->clone(o, reserve); QJsonPrivate::Data *x = d->clone(o, reserve);
if (!x)
return false;
x->ref.ref(); x->ref.ref();
if (!d->ref.deref()) if (!d->ref.deref())
delete d; delete d;
d = x; d = x;
o = static_cast<QJsonPrivate::Object *>(d->header->root()); o = static_cast<QJsonPrivate::Object *>(d->header->root());
return true;
} }
/*! /*!
@ -1086,7 +1101,7 @@ void QJsonObject::compact()
if (!d || !d->compactionCounter) if (!d || !d->compactionCounter)
return; return;
detach(); detach2();
d->compact(); d->compact();
o = static_cast<QJsonPrivate::Object *>(d->header->root()); o = static_cast<QJsonPrivate::Object *>(d->header->root());
} }

6
src/corelib/json/qjsonobject.h
View File

@ -182,10 +182,10 @@ public:
friend class const_iterator; friend class const_iterator;
// STL style // STL style
inline iterator begin() { detach(); return iterator(this, 0); } inline iterator begin() { detach2(); return iterator(this, 0); }
inline const_iterator begin() const { return const_iterator(this, 0); } inline const_iterator begin() const { return const_iterator(this, 0); }
inline const_iterator constBegin() const { return const_iterator(this, 0); } inline const_iterator constBegin() const { return const_iterator(this, 0); }
inline iterator end() { detach(); return iterator(this, size()); } inline iterator end() { detach2(); return iterator(this, size()); }
inline const_iterator end() const { return const_iterator(this, size()); } inline const_iterator end() const { return const_iterator(this, size()); }
inline const_iterator constEnd() const { return const_iterator(this, size()); } inline const_iterator constEnd() const { return const_iterator(this, size()); }
iterator erase(iterator it); iterator erase(iterator it);
@ -215,7 +215,9 @@ private:
QJsonObject(QJsonPrivate::Data *data, QJsonPrivate::Object *object); QJsonObject(QJsonPrivate::Data *data, QJsonPrivate::Object *object);
void initialize(); void initialize();
// ### Qt 6: remove me and merge with detach2
void detach(uint reserve = 0); void detach(uint reserve = 0);
bool detach2(uint reserve = 0);
void compact(); void compact();
QString keyAt(int i) const; QString keyAt(int i) const;