From a32e8d4263634c8af358f5396355937bcabc9ee7 Mon Sep 17 00:00:00 2001
From: Marc Mutz <marc.mutz@qt.io>
Date: Mon, 27 May 2024 15:39:35 +0200
Subject: [PATCH] QLatin1StringView: fix UB in "a"_L1 <> nullptr

Found by ubsan: if rhs is nullptr, then we fed a nullptr as the second
argument of memcmp(), which is UB.

Fix by catching an empty rhs before we reach that line.

Amends e52d50a03da29e2dddaee551e4409f28c7ed56f2 (which, despite
pick-to's to the contrary, never made it into 6.2 or 5.15).

Change b977ae371a753a82e1d0bb32c5b62099da663721 fixed this for
UTF-8/UTF-8 comparison from 6.5 on, but 6.4 ad 6.3 remain vulnerable
there, but they're closed, so can't be fixed anymore.

Pick-to: 6.5
Change-Id: I12fa986aa82a7440a9d53fad19a15e9420233e0b
Reviewed-by: Ivan Solovev <ivan.solovev@qt.io>
(cherry picked from commit 89f184b4034ce54b8a3439069e57b0f35798fec3)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
---
 src/corelib/text/qstring.cpp | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/corelib/text/qstring.cpp b/src/corelib/text/qstring.cpp
index 560e315252a..029313d7da6 100644
--- a/src/corelib/text/qstring.cpp
+++ b/src/corelib/text/qstring.cpp
@@ -1548,6 +1548,8 @@ int QtPrivate::compareStrings(QLatin1StringView lhs, QLatin1StringView rhs, Qt::
 {
     if (lhs.isEmpty())
         return qt_lencmp(qsizetype(0), rhs.size());
+    if (rhs.isEmpty())
+        return qt_lencmp(lhs.size(), qsizetype(0));
     if (cs == Qt::CaseInsensitive)
         return latin1nicmp(lhs.data(), lhs.size(), rhs.data(), rhs.size());
     const auto l = std::min(lhs.size(), rhs.size());