From cab293de7962d3196ecb2b15f5b214637e3bcba6 Mon Sep 17 00:00:00 2001 From: Marc Mutz Date: Tue, 6 Sep 2022 16:53:23 +0200 Subject: [PATCH] qUncompress: statically assert that arithmetic overflow cannot occur ... because the limit we check against, doubled, is still within the range of size_t. Took me a while to prove this to myself, so document the finding in a static assertion. Change-Id: Ib2d1bb825c1693ccc4ffa1d8fc0bd455a170337f Reviewed-by: Thiago Macieira (cherry picked from commit c97bcaaa1aa95570bd4911294bc8a0cb557b168d) Reviewed-by: Qt Cherry-pick Bot --- src/corelib/text/qbytearray.cpp | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/corelib/text/qbytearray.cpp b/src/corelib/text/qbytearray.cpp index f728877e4a5..aac2738317a 100644 --- a/src/corelib/text/qbytearray.cpp +++ b/src/corelib/text/qbytearray.cpp @@ -609,7 +609,7 @@ QByteArray qUncompress(const uchar* data, qsizetype nbytes) size_t expectedSize = size_t((data[0] << 24) | (data[1] << 16) | (data[2] << 8) | (data[3] )); size_t len = qMax(expectedSize, 1ul); - const size_t maxPossibleSize = MaxAllocSize - sizeof(QByteArray::Data); + constexpr size_t maxPossibleSize = MaxAllocSize - sizeof(QByteArray::Data); if (Q_UNLIKELY(len >= maxPossibleSize)) { // QByteArray does not support that huge size anyway. return invalidCompressedData(); @@ -638,6 +638,8 @@ QByteArray qUncompress(const uchar* data, qsizetype nbytes) return QByteArray(); case Z_BUF_ERROR: + static_assert(maxPossibleSize <= (std::numeric_limits::max)() / 2, + "oops, next line may overflow"); len *= 2; if (Q_UNLIKELY(len >= maxPossibleSize)) { // QByteArray does not support that huge size anyway.