From bfaa8925d5cc0a59cec3f747a8d982ca819f026b Mon Sep 17 00:00:00 2001
From: Lars Knoll <lars.knoll@qt.io>
Date: Wed, 2 Nov 2016 14:10:47 +0100
Subject: [PATCH] Improve the validation algorithm for binary JSON

Add better boundary checks and catch (hopefully all)
cases where invalid binary JSON could cause crashes.

Change-Id: I206510b7c5e3ba953802a5f46645878e65704ecc
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
---
 src/corelib/json/qjson.cpp                    |  25 +++++++------
 src/corelib/json/qjson_p.h                    |  35 ++++++++++++++----
 .../corelib/json/invalidBinaryData/10.bjson   | Bin 0 -> 544 bytes
 .../corelib/json/invalidBinaryData/11.bjson   | Bin 0 -> 542 bytes
 .../corelib/json/invalidBinaryData/12.bjson   | Bin 0 -> 506 bytes
 .../corelib/json/invalidBinaryData/13.bjson   | Bin 0 -> 544 bytes
 .../corelib/json/invalidBinaryData/14.bjson   | Bin 0 -> 521 bytes
 .../corelib/json/invalidBinaryData/15.bjson   | Bin 0 -> 536 bytes
 .../corelib/json/invalidBinaryData/16.bjson   | Bin 0 -> 874 bytes
 .../corelib/json/invalidBinaryData/17.bjson   | Bin 0 -> 49 bytes
 .../corelib/json/invalidBinaryData/18.bjson   | Bin 0 -> 524 bytes
 .../corelib/json/invalidBinaryData/19.bjson   | Bin 0 -> 524 bytes
 .../corelib/json/invalidBinaryData/20.bjson   | Bin 0 -> 524 bytes
 .../corelib/json/invalidBinaryData/21.bjson   | Bin 0 -> 552 bytes
 .../corelib/json/invalidBinaryData/22.bjson   | Bin 0 -> 524 bytes
 .../corelib/json/invalidBinaryData/23.bjson   | Bin 0 -> 533 bytes
 .../corelib/json/invalidBinaryData/24.bjson   | Bin 0 -> 506 bytes
 .../corelib/json/invalidBinaryData/25.bjson   | Bin 0 -> 542 bytes
 .../corelib/json/invalidBinaryData/26.bjson   | Bin 0 -> 628 bytes
 .../corelib/json/invalidBinaryData/27.bjson   | Bin 0 -> 51 bytes
 .../corelib/json/invalidBinaryData/28.bjson   | Bin 0 -> 542 bytes
 .../corelib/json/invalidBinaryData/29.bjson   | Bin 0 -> 544 bytes
 .../corelib/json/invalidBinaryData/30.bjson   | Bin 0 -> 542 bytes
 .../corelib/json/invalidBinaryData/31.bjson   | Bin 0 -> 553 bytes
 .../corelib/json/invalidBinaryData/32.bjson   | Bin 0 -> 536 bytes
 .../corelib/json/invalidBinaryData/33.bjson   | Bin 0 -> 544 bytes
 .../corelib/json/invalidBinaryData/34.bjson   | Bin 0 -> 524 bytes
 .../corelib/json/invalidBinaryData/35.bjson   | Bin 0 -> 524 bytes
 .../corelib/json/invalidBinaryData/36.bjson   | Bin 0 -> 524 bytes
 .../corelib/json/invalidBinaryData/37.bjson   | Bin 0 -> 536 bytes
 tests/auto/corelib/json/tst_qtjson.cpp        |  16 ++++++++
 31 files changed, 57 insertions(+), 19 deletions(-)
 create mode 100644 tests/auto/corelib/json/invalidBinaryData/10.bjson
 create mode 100644 tests/auto/corelib/json/invalidBinaryData/11.bjson
 create mode 100644 tests/auto/corelib/json/invalidBinaryData/12.bjson
 create mode 100644 tests/auto/corelib/json/invalidBinaryData/13.bjson
 create mode 100644 tests/auto/corelib/json/invalidBinaryData/14.bjson
 create mode 100644 tests/auto/corelib/json/invalidBinaryData/15.bjson
 create mode 100644 tests/auto/corelib/json/invalidBinaryData/16.bjson
 create mode 100644 tests/auto/corelib/json/invalidBinaryData/17.bjson
 create mode 100644 tests/auto/corelib/json/invalidBinaryData/18.bjson
 create mode 100644 tests/auto/corelib/json/invalidBinaryData/19.bjson
 create mode 100644 tests/auto/corelib/json/invalidBinaryData/20.bjson
 create mode 100644 tests/auto/corelib/json/invalidBinaryData/21.bjson
 create mode 100644 tests/auto/corelib/json/invalidBinaryData/22.bjson
 create mode 100644 tests/auto/corelib/json/invalidBinaryData/23.bjson
 create mode 100644 tests/auto/corelib/json/invalidBinaryData/24.bjson
 create mode 100644 tests/auto/corelib/json/invalidBinaryData/25.bjson
 create mode 100644 tests/auto/corelib/json/invalidBinaryData/26.bjson
 create mode 100644 tests/auto/corelib/json/invalidBinaryData/27.bjson
 create mode 100644 tests/auto/corelib/json/invalidBinaryData/28.bjson
 create mode 100644 tests/auto/corelib/json/invalidBinaryData/29.bjson
 create mode 100644 tests/auto/corelib/json/invalidBinaryData/30.bjson
 create mode 100644 tests/auto/corelib/json/invalidBinaryData/31.bjson
 create mode 100644 tests/auto/corelib/json/invalidBinaryData/32.bjson
 create mode 100644 tests/auto/corelib/json/invalidBinaryData/33.bjson
 create mode 100644 tests/auto/corelib/json/invalidBinaryData/34.bjson
 create mode 100644 tests/auto/corelib/json/invalidBinaryData/35.bjson
 create mode 100644 tests/auto/corelib/json/invalidBinaryData/36.bjson
 create mode 100644 tests/auto/corelib/json/invalidBinaryData/37.bjson

diff --git a/src/corelib/json/qjson.cpp b/src/corelib/json/qjson.cpp
index c3b58e59a50..c6fff068ce1 100644
--- a/src/corelib/json/qjson.cpp
+++ b/src/corelib/json/qjson.cpp
@@ -129,10 +129,12 @@ bool Data::valid() const
         return false;
 
     bool res = false;
-    if (header->root()->is_object)
-        res = static_cast<Object *>(header->root())->isValid();
+    Base *root = header->root();
+    int maxSize = alloc - sizeof(Header);
+    if (root->is_object)
+        res = static_cast<Object *>(root)->isValid(maxSize);
     else
-        res = static_cast<Array *>(header->root())->isValid();
+        res = static_cast<Array *>(root)->isValid(maxSize);
 
     return res;
 }
@@ -195,9 +197,9 @@ int Object::indexOf(const QString &key, bool *exists)
     return min;
 }
 
-bool Object::isValid() const
+bool Object::isValid(int maxSize) const
 {
-    if (tableOffset + length*sizeof(offset) > size)
+    if (size > (uint)maxSize || tableOffset + length*sizeof(offset) > size)
         return false;
 
     QString lastKey;
@@ -206,8 +208,7 @@ bool Object::isValid() const
         if (entryOffset + sizeof(Entry) >= tableOffset)
             return false;
         Entry *e = entryAt(i);
-        int s = e->size();
-        if (table()[i] + s > tableOffset)
+        if (!e->isValid(tableOffset - table()[i]))
             return false;
         QString key = e->key();
         if (key < lastKey)
@@ -221,9 +222,9 @@ bool Object::isValid() const
 
 
 
-bool Array::isValid() const
+bool Array::isValid(int maxSize) const
 {
-    if (tableOffset + length*sizeof(offset) > size)
+    if (size > (uint)maxSize || tableOffset + length*sizeof(offset) > size)
         return false;
 
     for (uint i = 0; i < length; ++i) {
@@ -323,12 +324,12 @@ bool Value::isValid(const Base *b) const
     int s = usedStorage(b);
     if (!s)
         return true;
-    if (s < 0 || offset + s > (int)b->tableOffset)
+    if (s < 0 || s > (int)b->tableOffset - offset)
         return false;
     if (type == QJsonValue::Array)
-        return static_cast<Array *>(base(b))->isValid();
+        return static_cast<Array *>(base(b))->isValid(s);
     if (type == QJsonValue::Object)
-        return static_cast<Object *>(base(b))->isValid();
+        return static_cast<Object *>(base(b))->isValid(s);
     return true;
 }
 
diff --git a/src/corelib/json/qjson_p.h b/src/corelib/json/qjson_p.h
index b7de24d1652..c5fd38e6403 100644
--- a/src/corelib/json/qjson_p.h
+++ b/src/corelib/json/qjson_p.h
@@ -302,12 +302,19 @@ public:
     String(const char *data) { d = (Data *)data; }
 
     struct Data {
-        qle_int length;
+        qle_uint length;
         qle_ushort utf16[1];
     };
 
     Data *d;
 
+    int byteSize() const { return sizeof(uint) + sizeof(ushort) * d->length; }
+    bool isValid(int maxSize) const {
+        // Check byteSize() <= maxSize, avoiding integer overflow
+        maxSize -= sizeof(uint);
+        return maxSize >= 0 && uint(d->length) <= maxSize / sizeof(ushort);
+    }
+
     inline String &operator=(const QString &str)
     {
         d->length = str.length();
@@ -376,11 +383,16 @@ public:
     Latin1String(const char *data) { d = (Data *)data; }
 
     struct Data {
-        qle_short length;
+        qle_ushort length;
         char latin1[1];
     };
     Data *d;
 
+    int byteSize() const { return sizeof(ushort) + sizeof(char)*(d->length); }
+    bool isValid(int maxSize) const {
+        return byteSize() <= maxSize;
+    }
+
     inline Latin1String &operator=(const QString &str)
     {
         int len = d->length = str.length();
@@ -567,7 +579,7 @@ public:
     }
     int indexOf(const QString &key, bool *exists);
 
-    bool isValid() const;
+    bool isValid(int maxSize) const;
 };
 
 
@@ -577,7 +589,7 @@ public:
     inline Value at(int i) const;
     inline Value &operator [](int i);
 
-    bool isValid() const;
+    bool isValid(int maxSize) const;
 };
 
 
@@ -631,12 +643,12 @@ public:
     // key
     // value data follows key
 
-    int size() const {
+    uint size() const {
         int s = sizeof(Entry);
         if (value.latinKey)
-            s += sizeof(ushort) + qFromLittleEndian(*(ushort *) ((const char *)this + sizeof(Entry)));
+            s += shallowLatin1Key().byteSize();
         else
-            s += sizeof(uint) + sizeof(ushort)*qFromLittleEndian(*(int *) ((const char *)this + sizeof(Entry)));
+            s += shallowKey().byteSize();
         return alignedSize(s);
     }
 
@@ -662,6 +674,15 @@ public:
         return shallowKey().toString();
     }
 
+    bool isValid(int maxSize) const {
+        if (maxSize < (int)sizeof(Entry))
+            return false;
+        maxSize -= sizeof(Entry);
+        if (value.latinKey)
+            return shallowLatin1Key().isValid(maxSize);
+        return shallowKey().isValid(maxSize);
+    }
+
     bool operator ==(const QString &key) const;
     inline bool operator !=(const QString &key) const { return !operator ==(key); }
     inline bool operator >=(const QString &key) const;
diff --git a/tests/auto/corelib/json/invalidBinaryData/10.bjson b/tests/auto/corelib/json/invalidBinaryData/10.bjson
new file mode 100644
index 0000000000000000000000000000000000000000..12b29b7aa55a1a5ccf7c13a229c65a9ff030e181
GIT binary patch
literal 544
zcmZ8eze~eV5dO4@tsoc$r-(eYV|8&BS`q6|r`94O=rcLmYJRkNiP)(HN9pM1;Na*V
z<0wvUDuR=fgYlBq4j$aSd-pE+zVEJcdZs1-EKCBcd|va#1~Si_YwQo~W+utovYuA1
z5gH^7(4}<S-@Z~Z=mPzit!E&Rz%ELy3w$pDPNY<g_Fd#r4W(zxz!qil2u~Bs&^Lfb
zhBG_N0ku|GAoCMd+~_!(M&79_RWVeEd+uQdxZ`uce11lJz<`^S%VC`#|7-|PA24TA
zMpoc^U3cI#6?bT;miKI~AIGr{Cp8w^hto)Npa|UaFm!IdWoM+hMEOXSa4D2)t_;qj
zws54^h-8Bb*+`KsLSI+`$&iFA56ACU4N^iy)~J{NI16OIiaSgz$xs>+MCSFK@e-NZ
z3Wvn<?28z#NBg&)H@uiIh1C@DL~Q%kmY>GnL3xj=eh`*as<p!FIilgj47A4+n@<5W
Xjs#30QB>y(f0L95E&~HIZ*lw!5Tc2F

literal 0
HcmV?d00001

diff --git a/tests/auto/corelib/json/invalidBinaryData/11.bjson b/tests/auto/corelib/json/invalidBinaryData/11.bjson
new file mode 100644
index 0000000000000000000000000000000000000000..cf2b612111288ec47d4497bc193d6fb51942e75e
GIT binary patch
literal 542
zcmb_ZyG{Z@6g{{gkVqsZRJ$=_q{Pa`hGH9669~m3F~(+KM?v?2JG&-SP-`r;(Za&g
zk1?^arcq;JVvLQ=co!)604F(fpSkDUnX~qZOaUk@0PAEgDR2O7O#UL_k)UgIp+NXi
zN+tgEP%tzM@NfW(Cix;l4(!0}#rR!?<;GGr#h!;U?1=jg4;^L+U*ILRhRi1LM0EOq
zG@#jwDnkE+jq41MN7-#jSt|~Sih2?S_hhdUJ;XLP&<D|1MJ|UG$|PU}KA|7+WAOpK
zq13Z7J7M4tJUCrR^)zg&?wIX%D9#JmwHs`!1bivW4Q^yr903pX7^J|tqwZw$H2QqD
z74t;IH#{C*#C_&+|2QU|3X7$1SQM~MD0n0o)lcW@lF7I;>!pdyKo;iqRFn4lUYstM
yCbs`N`ME*+RvmT_MyAxhY4chj<)IMC-zG9!2P5k35-8`vAZO`KsavvHLgf!CfOG-?

literal 0
HcmV?d00001

diff --git a/tests/auto/corelib/json/invalidBinaryData/12.bjson b/tests/auto/corelib/json/invalidBinaryData/12.bjson
new file mode 100644
index 0000000000000000000000000000000000000000..9c2403350eb8e1d30e3914d25b7b7b6b0d91efa1
GIT binary patch
literal 506
zcmb7=Jxc>Y5Qg9562+jHCY2T&u#AOPHWt@-3JDe`B4V?-TVwP-lHI#tEcALwsUWem
zwD9Nn57aUU3WBV&NkFi3VRmMBX6KoAyUkN&0T|J?M*f<70Il^EP^9xC*^&)>qQfNz
zw&AqXvOpQ)oJXBduvTb6aoGoQdiDV~Otj9?1D^BhxCe6T(IpU4fcjhTa6`@KOs!J&
zwkm2(XL}uZvZ@%^_$rwku>%t-wI^hR6?iF+11<yRide`yv@e9kaxTxZ4y#|rt&Fz>
zu@-?@%kgCr_oIQ~0tI+(qYeze4a#XYrRXhS$J=Ea6;iK>cB?kUG4KFXXc*j+8Rdmv
z<t!2@UyUZbkWY9umMIaiG-19JJQeIuUNM#V)7t55aJI&?!G3uo3PFhSuT?VD2W|si
nB2!1%??xT{<&hx$GcY6UALdkZLPmEHmMNHj)p|&NL{|F&1Z;k<

literal 0
HcmV?d00001

diff --git a/tests/auto/corelib/json/invalidBinaryData/13.bjson b/tests/auto/corelib/json/invalidBinaryData/13.bjson
new file mode 100644
index 0000000000000000000000000000000000000000..db6308b1fd045ecd0da64e151b6dd466e2cc3872
GIT binary patch
literal 544
zcmZ`$Jxc>Y5Pk6yja7nR<DIg>l<BN3PQ<fFs*6Fy!u58!MDHWHy%SR<y#y<J3rl~2
zzrxagpd#3ajfLmjC4z`Pn6I5-=FRNj_(T-|EYAV!WG^TXfc8ZGJjpGIu93>|o~EO3
ze`*Z_JQ@PyG>fZ<IIs(|cZQEOSYD!3TkiR&!;X0%cqEu51Br)14W$j>p2q0|;(&H9
zZb<zVHm*v*BI;g8sb*EhxS^Vi!8O?l@%ha76wwEf*_7onmZns4JsmG!pjT3Y=|o{L
z^e0|dQMw4*Y6*HCr)ddZ4nbOYZthdbtT&H%ZI$+5zKkJ!9-StA=JCKyxGNhhQBtrt
zWKKu&Sh8Pv#Z=<VYN=xdSb({c5rI7Ce&3VKy$qG&KD5VY8k%iaB>4w)^?x!ypYQ$#
tuwqb|0i8Kr#*f%`=xl|#9_?E#*kKf#N_(TrG>Oxpl-b8;8+8uGz!!d7i`4)C

literal 0
HcmV?d00001

diff --git a/tests/auto/corelib/json/invalidBinaryData/14.bjson b/tests/auto/corelib/json/invalidBinaryData/14.bjson
new file mode 100644
index 0000000000000000000000000000000000000000..347da4572c3874c7151298140061fc49adbaa90a
GIT binary patch
literal 521
zcmah_ze~eF6#mj!ts>Y>q#aIlbaHp76e8G8DI!wPGoESmlGI!j>yqr^A~?A?xal9{
ze_+K)1P2|?ccsOmgAd;C@7?>}o$Mbe3nT?#iQFY6TI<Y|ieFkkkgwRl1iC!ozy@l;
zZdsrVan8f86wH^gQatGaISqcGW%7D(20U4dC?X9~DPY0HO%a%eWBQFirMS1oV}RD+
zj`m;K_?$7gQK(c)FkqSbk3W2fXSOCvC8~@`a3MBX&VBJ}&LGt~N7M_)Ab&$i;u|An
zBn)q9NV?*1cy!FXMDSF2^LF1%+r-69dDP~~0ds`;9wUVXRN$Y|a{9D6U<$R>B#y2_
z*v~J6u@Q0r|Hu3~Y>2K_DbRU^c^$_0SUvXE<AKe#ohIBkNo&e}cb#T~E@%s4GKr8U
Y$6Gr&4R%PW7Q(zT+t>P*{2S@YH{;HAxc~qF

literal 0
HcmV?d00001

diff --git a/tests/auto/corelib/json/invalidBinaryData/15.bjson b/tests/auto/corelib/json/invalidBinaryData/15.bjson
new file mode 100644
index 0000000000000000000000000000000000000000..c6c5558934dfd2d275de86a057e6d3e444ebf992
GIT binary patch
literal 536
zcmXR+$|`1LU|?WjVqj1P(%nE#3IhZ43m}^ni2wipUoXwfz>t$)T%1@`$>71@xS1HR
z7^Vnl22KD|1Ev`nP`C(AW{E&*q5wl`MPhCN*cnjs9s}Km(`aHP6p2+xrn>(>NY*Gq
avJM7@uQ>F`;t<Cw{0uDm;{X5I3=9AV8dbLd

literal 0
HcmV?d00001

diff --git a/tests/auto/corelib/json/invalidBinaryData/16.bjson b/tests/auto/corelib/json/invalidBinaryData/16.bjson
new file mode 100644
index 0000000000000000000000000000000000000000..ae8b57446da90139f9a74297f82587a1fbd3cb57
GIT binary patch
literal 874
zcmXR+$|`1LU|`^7Vqj1P(%nE#3IoIM=Ro%V|NraP0BLDv1_l;}g2bXk1_loX$IKFe
z)I<S>)QZI1f}H%~VxTA(JO-+VGKr&liBpEI>MObc2f6^z=|3>Vs3jtY(;y{?Oam?j
k7%qn@lts}XfWjk^GkFxyE(CDI!3&J!jw5OOpA9qt0Lg9Ub^rhX

literal 0
HcmV?d00001

diff --git a/tests/auto/corelib/json/invalidBinaryData/17.bjson b/tests/auto/corelib/json/invalidBinaryData/17.bjson
new file mode 100644
index 0000000000000000000000000000000000000000..32f0cc0e23a365e970a3d87375e8637067adb0f1
GIT binary patch
literal 49
acmXR+$|`1LKmz}f*eFaH25E)l3<UsmLj&^w

literal 0
HcmV?d00001

diff --git a/tests/auto/corelib/json/invalidBinaryData/18.bjson b/tests/auto/corelib/json/invalidBinaryData/18.bjson
new file mode 100644
index 0000000000000000000000000000000000000000..50c89169ebe6b7daf5acc49eb00c74b772105a4c
GIT binary patch
literal 524
zcmZWmJxjw-6g@Td6Git3KC7b+P8LD1B33~WiHL}TugSAko2I^(7CPBo90f%O2Pg4&
z_!}IZ{1`g8I0za~QV_(z$-OW4=A3iiJuV!Y6o7OGFvfVwg9liz%sYvD!nRmPRWkjG
zq7#NcPdP9~>ITq^qUZzp_`I-N2OhoAgySLA5Br!x2uopEAq5BLB=2qau9QrOTk28<
zH>5wa@YxsFn0CA~HD*I;ALDRBS@ERyL|#=k^d(A0n6kTGDb^N?ibe<7bAjPOpgV;o
zP-*yQu`anIC%?J^TycW*bFNU(sy={aXH8_Y(_&^SgKwOV06nqpotahp!0k|b&T9tS
zY9)7|c?(O(315YBa!%@_T2+)K4alOJ5H+Jb5eCB5N`^}Kf9t<y*_)U}H*&5H=n~e;
zTkMiZ$7{$C<HRujucw);=gEdG+yf!^#6sZC2g&<nE5E9oK!-V#Mm#WAv7;!~h1kpH
VHverMkeA<ll5@weQDif|6F+Msghv1X

literal 0
HcmV?d00001

diff --git a/tests/auto/corelib/json/invalidBinaryData/19.bjson b/tests/auto/corelib/json/invalidBinaryData/19.bjson
new file mode 100644
index 0000000000000000000000000000000000000000..b922212f459605d3f949ad8387ba231cc75cf444
GIT binary patch
literal 524
zcmZWmyGjE=6g}%2Ul_EpN{SI|gji@}6f9N(QAn^@5fKX~n=x6<W|NsoFg8gqDHTKu
zi<Ewlf1s8kSO~h_$paAw?%dbRIcM(F3unp#Fg^w>lfR;*2$&LLWRGMCoBF76$$=d>
zzMdDDhq&NDts+>d5-P=I3+O~q^nt9&Gkz0zvKIRo=nzJoh@gF45d`kyn!u+AXLG*N
z=n<p620YN6u8q$b)59=SYG23zOK>%>7P&04tf&fk3;$ABti$DbqsDT)T59l;Ag(!J
z(sDc*R$D>W@EZMYHlG9TzM?1wr%;fh8ON@>$I|Kbjm=etZ;<@<l;OQmTjCVx0SjgZ
z_y1?W0-^azFkr3>nNzHxM3L!`c~WpKM#@HgWvPbuS0#ojVL!hT3k{l-j+Xg^_$c}H
zNeYulFt5z`3Co1ucG%zBhuJ*bP-;in@8-4i566P$F##j=;HX0v%Vbmw2mzRViJ}Dg
IH?kD)1IP7(!vFvP

literal 0
HcmV?d00001

diff --git a/tests/auto/corelib/json/invalidBinaryData/20.bjson b/tests/auto/corelib/json/invalidBinaryData/20.bjson
new file mode 100644
index 0000000000000000000000000000000000000000..c965a0d2941924fa1db73476aa8f849a3db90e69
GIT binary patch
literal 524
zcmZWmu}&L75PjwhCI|!#)ln=YB^0TGkSL501_^}Fp(q7K)^`(QxbxY&XM`)<BT5Pc
z1qBu2JNO1lD&iC=(ojSS$6F&P!b-C<yEFUV+nH8%&lUg_2Y`?C$2>%U*JC_LyP^3W
z^Jr>@$n*RN5KKT0b<&JQ)#B7zZ8|`g$wyS&dAWW7+(pxUjN8H}{1%Cj)w5VoK!8(%
ze|V`~uiFe)<RuL*=}$cT9dWtW(AsS=2|gjnbR*IxQWa^4IYZql8;4tsT6?7?6gtit
zY8?kk1$2Q%CpmGv#Lk1t#yW8RFVBk)<!aT)!5G$pO*KFNMJ;?*c*5x<Fzk4*?V|hu
zt|s`9>w@;$1H&$?qO20h^jxCNe!Hn+O#!+lv#M<+Qdz1(BRUiHU;a%jYx`nRLOC=k
zRl@uEi!81K#TjnS+*hXXemvd&c<z1pD%@52yIM}erL?~veXDFpkeaOL72!V2QS1oG
ahTyb(HGKPfm$<x32o8+)^4zEYLwg1m(1p1G

literal 0
HcmV?d00001

diff --git a/tests/auto/corelib/json/invalidBinaryData/21.bjson b/tests/auto/corelib/json/invalidBinaryData/21.bjson
new file mode 100644
index 0000000000000000000000000000000000000000..98165ee40c47aba9bb0e65160fa712f9bd93812f
GIT binary patch
literal 552
zcmZutJxc>Y6r30nKTr&cSe(d-mUh-cPQ(+@>Qqz$y56luxyvQDr;y6@l2R;eEG+#4
z{tYXCf*=SYHWse47e7!O*!SK(mf4wU>>a5bfYB~siv5h20LVXZF7n*)Sa}w-f%2=?
zr)K`a_&7w;1X|kcN=O8-1n2MsZxe9CW2M&QdW30ssi*}a32ax^B<^#QD9i$P{LX4n
z1J(}H8EHMi!+8OfK1_!jO0ASsifg_x3a;4O)bnoiOrp$Hb4&L2VwlqxI^WAjSVNj{
z{3Nb5qjp$Te9;ZhT@AS2(Yk;zL%<q@##R`{N_ld>E@+~EDYpGYid05pSs0YiF;Nl9
zm@sSx%*{fbWhe*l;16()pa)KiA}%^SBN+VV$-*!^eHjxN?ws-S8)c*Q6O{h^H3Q6^
z1(xks?d4s2A@=9vte$SVtMG3BN1UXN%D*s)75c46Iw>L&$>PR#i+oic?jjNc0}onX
HvOnVkkMWPw

literal 0
HcmV?d00001

diff --git a/tests/auto/corelib/json/invalidBinaryData/22.bjson b/tests/auto/corelib/json/invalidBinaryData/22.bjson
new file mode 100644
index 0000000000000000000000000000000000000000..151f773a81df9ea92210accd530085bf5ddd3e94
GIT binary patch
literal 524
zcmaJ-Jxc>Y5PdO;q6nr57D=&1%2-$>3Kl0qED|gZL`1~RWlW;?mE8@fP3$FQ3emzM
zrN6=-;a@QR0wJL1+$A7dxbWu9?##}cnO^fkrvPLYfC}>+Us^zV!hV+V%qXNejxfoI
zqG<3>j#LuZht)MXLJo8#z0f7mb_1=Yg6SHUkb;d77hgs#ey?}6!I*Vf22aexG^Q(Y
z>|^d~Jq4zraOG*cFWbsP3AT}bORAQrkx%L#-5XMu{ZQ1UALkIay#_3$EJp?YwKwEB
zxqJq8tx*RaKBFiLs|m6XM73Jk+TIlS!YHqI=zJY7Kt79cVu8n>9Z1%W=Mx?ox#7t~
z(w$3|MPE}(m_Rs+q#^Mqu7&P9y<hEN-X79#@2nDUAj3#bY0gBJs{`=NvtW_Ah=OoB
zLY|4ez}XEFJ2<K}U<b-rdNwBS_Jnv5i-;RJJig_R9R|O7Tme{}L{WkHl~D%10nu51
AsQ>@~

literal 0
HcmV?d00001

diff --git a/tests/auto/corelib/json/invalidBinaryData/23.bjson b/tests/auto/corelib/json/invalidBinaryData/23.bjson
new file mode 100644
index 0000000000000000000000000000000000000000..6eb52694702b730839ab5be75f752b7fc0bdf15d
GIT binary patch
literal 533
zcmZ`$Jxc>Y5Pj#JMny>)8xwH-D78)q2p)(*NDxUt3oZ6?Yl!A9$?heRD(NL<K+(d&
z%G%%HZ}1<eg@p(fiaBQ!45V;jcyD%=H*aR^&Z#m0SQEf1;RPiwV7?Haq<El+n^Z@Q
z6a5LpHo@4bRF&eg1$4qN{6t3Q+s94d$z2|3JQ{O|*QpVLa!?V>Kps63pBcW*k~r?D
zFSWrf$#+eB&FUJ_iFcw(6@>J#hJ3(%mrIvrgkO+XC@ZEa#eKij*eMAz8l^XvNJN2%
zfezreysmSoNY@PWnOqjQrU|T=?Ko02=dqjLW2sb<rJWV@(OUwhb>DlnDNe{!Y&ho)
zLEL;B>_E~MEZEEw0pHl-@~lx~6;1|tNvyMm5-tm>tSAK!1oKAq16?1PB|b2V2<)P)
zl1syUe$_51Ed331l0yKPCjGx`3~AxtV;BD>iNvtfMtYIySr=&59AL=6R_2FZ4t?8^
IAY)VKzlhIvO8@`>

literal 0
HcmV?d00001

diff --git a/tests/auto/corelib/json/invalidBinaryData/24.bjson b/tests/auto/corelib/json/invalidBinaryData/24.bjson
new file mode 100644
index 0000000000000000000000000000000000000000..c55a2a3e3b413e79cbd392c854f178196064d1aa
GIT binary patch
literal 506
zcmb7=Jxc>Y5Qg9562+jHCY2T&u#AOPHiFl93KuL6M8sy3TVwP-lHI#tEcALwsUWem
zwD9Nn57aUU3WBV&NkFi3VRmMBX6KoAyNy$20T|J?M*f<70Il^EP^9xC*^&)>qQfNz
zcHp$rvOpQ)oJXBduvTb6aoGoQdiDV~Otj9?1D^BhxCe6T(IpU4fcjhTaYN1LOs!I0
zTNSmYv%L;HSyc>de3eX&*ntTZwuFqZ0zc((z-7Q(5es>T_Jy!m&gEIwVcuoj%6Ll<
zYY~{WoTg0Tel###pa9>kd%*D9pqxfSirxZt{XMo(A@!PQw`x-y0}nujhQU3VQC|2}
z&LWZW)o8*C`Gi+vnGyj@6V{Z1r-J>-E2gsMw01fhobB;!uwUMYLJ*?-Yn4p(fm?^4
n$kb8xyHQ7fc_c{x49p1ohdI@pkkMU)WeVnBwH}fmk=1?xQ6+vT

literal 0
HcmV?d00001

diff --git a/tests/auto/corelib/json/invalidBinaryData/25.bjson b/tests/auto/corelib/json/invalidBinaryData/25.bjson
new file mode 100644
index 0000000000000000000000000000000000000000..6c619f2ae1ba7e688930287f9f6cbebc54c1b2cc
GIT binary patch
literal 542
zcmah`!Ab&A6g{SvL7^3`6q~3`V5@dPpqp%=D@`JTcsUQXX4K}*1VWJeXc+{xXyLMt
z=`XT^Afio+UgxRd(hKL_JNF*uoI7)Va;icAmZyL<)@wf4K)BC-ns_3TVJ6HI-&$Xp
zejKS3gx3MO+RPI01h9u(;{reFNZtvQDqrrqSVzehO<Q=jm6uJ4yU;44Tfj5rlIQe*
za>LKa<OfQ)jpAq)8%{;3LPGiIkz*V@vTFMIHGU#!gJyPQEQZCg9Sr5=JCbqD$W^^o
zv*X@4bwyGHrF_xm_*m;GoI%*kwo@DQKo;onV?;@QAgHuJB{90na-}aeUE!StZOakO
zS|DmNV+Bgumfy0fo)o^cT#+8`voL#Qsh~RI@{Ms|2D#mVErefQsbY?cq?snf8=X&}
waJ@vVbpLq=`65a!&)-(zFCJe2H&U8^YtE<~8e*N`%#Ekm%=NXtXZ<8He<+T3v;Y7A

literal 0
HcmV?d00001

diff --git a/tests/auto/corelib/json/invalidBinaryData/26.bjson b/tests/auto/corelib/json/invalidBinaryData/26.bjson
new file mode 100644
index 0000000000000000000000000000000000000000..3bf303215a84785972ab40428a5fef1864d24a73
GIT binary patch
literal 628
zcmXR+$|`1LU|`^7Vqj1O(%nE#3IoIM=RmeJ5U+vK3=EI||Njr<KmjuYg9n3SW{E&*
zq5wl`MPhD2PJVH5B3O1lm;|Z+Uyq~(rWJ$!f=5vUhHBgb4p^mrp|~5U<T;waDNKOP
zAfT>i*u)ta{=nQXj9ng^=>N~yM5!dk0y0O5G{gFV${Rph(1QmgMg$-tc%Y`d003}j
BL{I<#

literal 0
HcmV?d00001

diff --git a/tests/auto/corelib/json/invalidBinaryData/27.bjson b/tests/auto/corelib/json/invalidBinaryData/27.bjson
new file mode 100644
index 0000000000000000000000000000000000000000..d2656c22872b6d5c8f7f2bcc81b5073112fa1ab3
GIT binary patch
literal 51
ycmXR+$|`1LfB+^2hCl!Ri!h`xFo1<v{{R261}G)X%<zJRp&+p+k%7U3!4Uv3%nSqo

literal 0
HcmV?d00001

diff --git a/tests/auto/corelib/json/invalidBinaryData/28.bjson b/tests/auto/corelib/json/invalidBinaryData/28.bjson
new file mode 100644
index 0000000000000000000000000000000000000000..6797cf8c405a11e4f05e13c19036f11a7cc72c11
GIT binary patch
literal 542
zcmZWmO-lk%6g@Uh85C;JYQ!dTX{**jZkiSf!I*>y@p2w&&iFBJCUB+uaM`LBEn4~`
z`Ux%j0YO#}MFi2J*PYS8=)t*P@AB?B_jQj?L<GR<9I!$Dj1mh_#uU#JMg&bEgJr^p
zl>KCod`c+;k5mfG?E!-@O~7Tq9&(LSe5GO7z7R!z;JjvFdaPwJ*U}B%;<$^fL)`*y
zX`I$24k$LfEZ1IO;#@^#5gEHAL_Q%r+)z)z;EMckg!^wzd6H3dKxDRgEQXbk$;3>?
z^Ji#rq9}7!x83SFL%S~MJ_^$)SX4feQiUBJi>zhW$nM*~4scD&P^tNnK+2OeiA`1M
z4)@rm!`!AHtf*D<S&e6PUvNwJ+IrRH%;UPl%1ytc+kF|{3tjkCHtD4o<G=!PyCE$o
z505lOnH5a=%$aUEF;n^%2LG4-TU{Ic=7&ZBX5000LU||g`L+-h&V#=VWR%K5W1T=X
QC!V5UX)NUh`8PuL2gi|ufdBvi

literal 0
HcmV?d00001

diff --git a/tests/auto/corelib/json/invalidBinaryData/29.bjson b/tests/auto/corelib/json/invalidBinaryData/29.bjson
new file mode 100644
index 0000000000000000000000000000000000000000..0645dfc3b25ed6bd3114cea2e4b4feebab746d12
GIT binary patch
literal 544
zcmbVJJ5K^Z5dQE$v4WUb9hfyz(pg)aF`k7~hr|#H*V_%C_ki0wBNg<9SlL@x`eQ8p
z2SQA2jE#ls+<}FbPIhK?c3$7?49_oA4#4ILutWNW3;`H3x~~#H5}O8zj6Sp;SAUF5
zS1RDq2$<;9EF<E;5v=|dKDS_diBe5@;-dy9=7HdmV73e-o^#tM>;g~J&Kwd3H2ZN~
zns0D$S3qYSHLs=AaaqN9pqLcFJ?Sao`AYHRF#v(tlf@!7G9(MJXfI!3mNb#&Mqx1W
zr(REyKaaNE5cE9Jx&SXDK~i|#>`o!e+MMR7(j3f}F@(>f%VfYj9&{7lm35XVDOemb
zw<UQj*&n}RDsh*wRIvoC!8%NVKwfiy;7QiK4VB_P9T+cj>YEOjC;l(Zv;Y5{O}haq
tFqtu9{EQuh?tYlb@u}T_6GpM6jCaRwXsuL7$aLfBD6RH{5_`l_ego(Ieo6oU

literal 0
HcmV?d00001

diff --git a/tests/auto/corelib/json/invalidBinaryData/30.bjson b/tests/auto/corelib/json/invalidBinaryData/30.bjson
new file mode 100644
index 0000000000000000000000000000000000000000..f77fe1efd000db13d3aa0d836004dbcb5fa98240
GIT binary patch
literal 542
zcmXR+$|`1LU|<ksVqj1P(%nE#3IhZ4Eg+i(h}QtIG&6`@kQf%#0OVyblnA6I3NWNr
zB<2?U$}cXCDyn2)X!sA5Vh~^`N@QU0U~tSVWB4V<z>rf~TpW@bn#-WV5L}X&my%eN
zqTrsIm&$O1QIUbwn1Sa4&^qZtpc@!MGD~z)rQb0GGfZV=h~Z>V$q6ei_7Ny9VORoG
z19Sny0w7IY@Sg$2$p8QU*HhO5sA&Q)Q(0jQ?DR8)Fx+9lctHnWfeu9%!@_?Gj1Ce2
PH$v@;|NmzLc^?@7ir_Xv

literal 0
HcmV?d00001

diff --git a/tests/auto/corelib/json/invalidBinaryData/31.bjson b/tests/auto/corelib/json/invalidBinaryData/31.bjson
new file mode 100644
index 0000000000000000000000000000000000000000..d9840b65824a97d4b16e8c7a675e1d6cc2abe79a
GIT binary patch
literal 553
zcmaJ;F-yZx5dLZ#t)R3B;*cUw>?Cz^F4!W}p`B8TNJXE?v#lmgo0kZk+Fd%jIXHCm
zSNIE@#D8E#aC33+c}W8W2M@mcF83~X-@DhpxRMC~>kGg(@hyE=Kypg)BH@vsC&^)z
z@TJr+jOUiifqMgBq{3Vl9tRFl>fGRa6BRp<vM!Ds<YD-{YjMwF710%VO>9Bi1D<J|
z-X{&Hcl?6TKVjfbLvtB<yCG#YD}79;CRFf1JSIIqp`H|aQ0lZO(rK*C<?PJHix21-
zMOHFBw>xmgc3V<W3Pz=7QTj|N4R&M}dCP7^F|d!KxZJ=KEkwg4^1wa)8qehM{g@+s
zzUy%BI_NQ*cUu8(i2@6xu$b>M(-Yhm?9aJmGBD#>>X-qR5DP@|?VYBC*Gv&2%f~E4
z$(Al?hqJ>RaSl2&+l-&H1J~65v$7kOl!wQa8VuL-OETI*)s?a-MEJ;|%Erlvy0!_F
QbErMAGF3_^ejyZqUp}UQ@Bjb+

literal 0
HcmV?d00001

diff --git a/tests/auto/corelib/json/invalidBinaryData/32.bjson b/tests/auto/corelib/json/invalidBinaryData/32.bjson
new file mode 100644
index 0000000000000000000000000000000000000000..1de4cb829f1c84b1988d4bd05bf51e1a4563425d
GIT binary patch
literal 536
zcmXR+$|`1LU|`^7Vqj1P(%nE#3IoIM=RmeJ5U&Bz%nS@H3<Zfri3|)L433+L0gGXZ
zfckL)m>T?aW{E&*q5wl`MPhD2PJVGQ&=p|t`2YX^IE^M&LJ??4J+X?(Q1|}_$(lq+
a*1^E=6^9;K9O77opMgbR{Qp0jfdK&V6jylw

literal 0
HcmV?d00001

diff --git a/tests/auto/corelib/json/invalidBinaryData/33.bjson b/tests/auto/corelib/json/invalidBinaryData/33.bjson
new file mode 100644
index 0000000000000000000000000000000000000000..532a31dc088592d213438d1a523f736da774d1d8
GIT binary patch
literal 544
zcmXR+$|`1LU|<ksVqj1P(%nE#_%8+qAY#w};vOKDW@cbuVJJuhGLeA@nA3nPgp<ty
zk>LbUEI3u+kWj!OPLc5A|NsA^82}WiM-zf@|Gx#%LRjT61jQIw!D9bkVMqak5-KJJ
zrLii)q7N(tiYF+5yS{)J0E$oC>ev`^6N|FLfF`pr1Ov&`REAsz86bn_#sB{RvsXN`

literal 0
HcmV?d00001

diff --git a/tests/auto/corelib/json/invalidBinaryData/34.bjson b/tests/auto/corelib/json/invalidBinaryData/34.bjson
new file mode 100644
index 0000000000000000000000000000000000000000..f498558eff89829affcc267d7f6424126ebafb6f
GIT binary patch
literal 524
zcmaJ-Jxc>Y5Pk6yMG;IBEMl=m%2-$>3Kl0qED|gZL`1~R-Izr0BkpcMZDKDeQ-~H8
zDg71x2>*idF9h_QI}=0;7v9Y7%<R0GciBAG835Tipu+x+A0A+h`JQ7uGl~}H(M@aO
zIPU*bBb5a9V0TQOkOy7KpzD)p`H|LA!E}sI$iTsnn=hi4#OobxFk)V&!4vy|g~?Kq
zn_ab@0F$op<w>h2TPi>aj*+1!l_zQxlDbFdhSWu`E9x>#YKX^P0Twd0tD^8a81SCl
zJ`1PTr~?llah!wQ1UdVnTCHquZ3ui~SkT*awu%>^ki#goz~hewv;9OsMy>}krSzwi
zWzo~*2@?rdku)U!<h9T}_xE_1jtA@QommnEvW)bU*k-kMh-_c87U`Q~YblDtZ3}rS
wb|ZHuN^SqJ)_@Z!W9#oVS=(b`A?A?`a&UCZAKMI$1!<S%aU2&p@X9CyU*F_^(*OVf

literal 0
HcmV?d00001

diff --git a/tests/auto/corelib/json/invalidBinaryData/35.bjson b/tests/auto/corelib/json/invalidBinaryData/35.bjson
new file mode 100644
index 0000000000000000000000000000000000000000..870121075578f2e033f87f443ceb833672a26fd4
GIT binary patch
literal 524
zcmaJ-yGlbr5Ir$B3L=<BEMl=mAWcN9e1OFj;ff?!ToDlw*JO;*`-r<6P!VD;mMKIF
zi<EwaAK@<;e?ic7?xKi|3uktBc6QF0b9Q*5a{#;%V2<}2zBGaSkk19i6Qh*pcXV8h
zwYK+9jZ_j?hu=0uLJ@Q><4#1P5~W&81=BVWA%_tCtogOIoUgUD!GL+029Lbo=J7s`
zAWDCZT5r*5w<99C-|EViicv;rWYUzXDFRAJ-JyL+Dyyl<B&#8oJqe8E{Dw-Ci};r3
z<n|uIpk4#+KdddlKLmxFVsUX{X?b4Y6a6W@LPyhh2Br!axClJ_dhj!!h{?#=SUSo`
zCLWlwD!Q7Q!la_1NE#Bq?@p2yy4(0G58v{Te|=+?%mI(#R+*!xbx7n#n!Rv$&doTK
z#Ky6Z2VyO4tfnsZc7i&>R2g6Mn3Z~sz1_QFBSw)4+1|b8kH`45M2KCNiJ`S6PQEaz
Fz!xR~f%O0Y

literal 0
HcmV?d00001

diff --git a/tests/auto/corelib/json/invalidBinaryData/36.bjson b/tests/auto/corelib/json/invalidBinaryData/36.bjson
new file mode 100644
index 0000000000000000000000000000000000000000..ef5864e9114493a6ae0fb47d7c266b4cb8992116
GIT binary patch
literal 524
zcmaJ-Jxc>Y5PkXZD+s0$5mQWIVWEYU8W3_SL?M#m#LB`=ZjGn8+_|>_wMnccSVa*n
zQl#|f_!AVx&Ng7q*|SOIz+>m*?aaKnsGNlf0O=&K#_uf$4v_j}e~j_MSV(alLClGw
zsPzv=C^5t?ELUeGvXGa;3+j?;bw3P+f_8OXA^{s+Za#&g$(P(vqtA1B40`-_QW#`R
z4cL|i4~ww1XgESSOGVj`>Jjd>bQ~H9s9jU%&45Z139G97#+BD$VcahbySQHho_?Ze
z3|6IrHfQ(jGOe$#ZRA%8Lv&|>Ni*+0+>|FkA0VUsnPIeN5V%Uf=ps*QvEm)X!vfK$
zHAMwT!Xavg(jo0rRY{>Gy^5Gqk2z%m-r0=8__Xuvz-sfR58hnrBN|}v7T0sU@rW(5
zZxT7ix5?*_U#^~#IHn!Hy5*DYtGiLtR`@5G4|^offpK`e$zdzv&!-G|0}r_wU^+V$
NCBF)B+hs2F@CyWfhPD6z

literal 0
HcmV?d00001

diff --git a/tests/auto/corelib/json/invalidBinaryData/37.bjson b/tests/auto/corelib/json/invalidBinaryData/37.bjson
new file mode 100644
index 0000000000000000000000000000000000000000..f4dd4ae12fd27b1091661f065c2438b6510f9314
GIT binary patch
literal 536
zcmXR+$|`1LU|`^7Vqj1P(%nE#3IoIM=RmeB5U&AZX=Vln7KVbv|NsBjdoVa|CI&2q
zDFW)p31DjQ)0rg#sfhv%sTGO21v&Y}#feb!9<%=ckJD&kB^1#W{(p-uLJ|M}50bTu
bkf=iesQxPsJ)kHg8axB5eDVMPYz77Z^@3Nr

literal 0
HcmV?d00001

diff --git a/tests/auto/corelib/json/tst_qtjson.cpp b/tests/auto/corelib/json/tst_qtjson.cpp
index 1665ff696d8..f2f91667110 100644
--- a/tests/auto/corelib/json/tst_qtjson.cpp
+++ b/tests/auto/corelib/json/tst_qtjson.cpp
@@ -103,6 +103,7 @@ private Q_SLOTS:
     void fromBinary();
     void toAndFromBinary_data();
     void toAndFromBinary();
+    void invalidBinaryData();
     void parseNumbers();
     void parseStrings();
     void parseDuplicateKeys();
@@ -1779,6 +1780,21 @@ void tst_QtJson::toAndFromBinary()
     QVERIFY(doc == outdoc);
 }
 
+void tst_QtJson::invalidBinaryData()
+{
+    QDir dir(testDataDir + "/invalidBinaryData");
+    QFileInfoList files = dir.entryInfoList();
+    for (int i = 0; i < files.size(); ++i) {
+        if (!files.at(i).isFile())
+            continue;
+        QFile file(files.at(i).filePath());
+        file.open(QIODevice::ReadOnly);
+        QByteArray bytes = file.readAll();
+        QJsonDocument document = QJsonDocument::fromRawData(bytes.constData(), bytes.size());
+        QVERIFY(document.isNull());
+    }
+}
+
 void tst_QtJson::parseNumbers()
 {
     {