QJsonDocument::fromRawData: Fix out-of-bounds access
This method takes a pointer+size pair, but begins reading through the pointer without first checking the size parameter. Fixed by checking the size parameter. A new test case is added with an empty binary json file. Although the test does not fail under normal conditions, the problem can be detected using valgrind or AddressSanitizer. Task-number: QTBUG-61969 Change-Id: Ie91cc9a56dbc3c676472c614d4e633d7721b8481 Reviewed-by: Lars Knoll <lars.knoll@qt.io> Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
This commit is contained in:
parent
de40f24706
commit
d3935cbd71
@ -450,7 +450,7 @@ static inline void copyString(char *dest, const QString &str, bool compress)
|
||||
|
||||
|
||||
/*
|
||||
Base is the base class for both Object and Array. Both classe work more or less the same way.
|
||||
Base is the base class for both Object and Array. Both classes work more or less the same way.
|
||||
The class starts with a header (defined by the struct below), then followed by data (the data for
|
||||
values in the Array case and Entry's (see below) for objects.
|
||||
|
||||
|
@ -210,6 +210,9 @@ QJsonDocument QJsonDocument::fromRawData(const char *data, int size, DataValidat
|
||||
return QJsonDocument();
|
||||
}
|
||||
|
||||
if (size < (int)(sizeof(QJsonPrivate::Header) + sizeof(QJsonPrivate::Base)))
|
||||
return QJsonDocument();
|
||||
|
||||
QJsonPrivate::Data *d = new QJsonPrivate::Data((char *)data, size);
|
||||
d->ownsData = false;
|
||||
|
||||
|
@ -1863,6 +1863,7 @@ void tst_QtJson::invalidBinaryData()
|
||||
QFile file(files.at(i).filePath());
|
||||
file.open(QIODevice::ReadOnly);
|
||||
QByteArray bytes = file.readAll();
|
||||
bytes.squeeze();
|
||||
QJsonDocument document = QJsonDocument::fromRawData(bytes.constData(), bytes.size());
|
||||
QVERIFY(document.isNull());
|
||||
}
|
||||
|
Loading…
x
Reference in New Issue
Block a user