1berry/qtbase
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

qUncompress: statically assert that arithmetic overflow cannot occur

Browse Source 
... because the limit we check against, doubled, is still within the
range of size_t.

Took me a while to prove this to myself, so document the finding in a
static assertion.

Pick-to: 6.4 6.3 6.2
Change-Id: Ib2d1bb825c1693ccc4ffa1d8fc0bd455a170337f
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
This commit is contained in:
Marc Mutz 2022-09-06 16:53:23 +02:00
parent 3b1a2448df
commit c97bcaaa1a
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/corelib/text/qbytearray.cpp
View File

@ -609,7 +609,7 @@ QByteArray qUncompress(const uchar* data, qsizetype nbytes)
size_t expectedSize = size_t((data[0] << 24) | (data[1] << 16) |
(data[2] << 8) | (data[3] ));
size_t len = qMax(expectedSize, 1ul);
const size_t maxPossibleSize = MaxAllocSize - sizeof(QByteArray::Data);
constexpr size_t maxPossibleSize = MaxAllocSize - sizeof(QByteArray::Data);
if (Q_UNLIKELY(len >= maxPossibleSize)) {
// QByteArray does not support that huge size anyway.
return invalidCompressedData();
@ -638,6 +638,8 @@ QByteArray qUncompress(const uchar* data, qsizetype nbytes)
return QByteArray();
case Z_BUF_ERROR:
static_assert(maxPossibleSize <= (std::numeric_limits<decltype(len)>::max)() / 2,
"oops, next line may overflow");
len *= 2;
if (Q_UNLIKELY(len >= maxPossibleSize)) {
// QByteArray does not support that huge size anyway.