QJsonDocument::fromRawData: Fix out-of-bounds access

This method takes a pointer+size pair, but begins reading through the pointer
without first checking the size parameter. Fixed by checking the size parameter.

A new test case is added with an empty binary json file. Although the test does
not fail under normal conditions, the problem can be detected using valgrind or
AddressSanitizer.

Task-number: QTBUG-61969
Change-Id: Ie91cc9a56dbc3c676472c614d4e633d7721b8481
Reviewed-by: Lars Knoll <lars.knoll@qt.io>
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>

src/corelib/serialization/qjson_p.h

@@ -450,7 +450,7 @@ static inline void copyString(char *dest, const QString &str, bool compress)
 
 
 /*
- Base is the base class for both Object and Array. Both classe work more or less the same way.
+ Base is the base class for both Object and Array. Both classes work more or less the same way.
  The class starts with a header (defined by the struct below), then followed by data (the data for
  values in the Array case and Entry's (see below) for objects.
 

src/corelib/serialization/qjsondocument.cpp

@@ -210,6 +210,9 @@ QJsonDocument QJsonDocument::fromRawData(const char *data, int size, DataValidat
         return QJsonDocument();
     }
 
+    if (size < (int)(sizeof(QJsonPrivate::Header) + sizeof(QJsonPrivate::Base)))
+        return QJsonDocument();
+
     QJsonPrivate::Data *d = new QJsonPrivate::Data((char *)data, size);
     d->ownsData = false;
 

tests/auto/corelib/serialization/json/tst_qtjson.cpp

@@ -1863,6 +1863,7 @@ void tst_QtJson::invalidBinaryData()
         QFile file(files.at(i).filePath());
         file.open(QIODevice::ReadOnly);
         QByteArray bytes = file.readAll();
+        bytes.squeeze();
         QJsonDocument document = QJsonDocument::fromRawData(bytes.constData(), bytes.size());
         QVERIFY(document.isNull());
     }