QJsonDocument::fromRawData: Fix out-of-bounds access

This method takes a pointer+size pair, but begins reading through the pointer
without first checking the size parameter. Fixed by checking the size parameter.

A new test case is added with an empty binary json file. Although the test does
not fail under normal conditions, the problem can be detected using valgrind or
AddressSanitizer.

Task-number: QTBUG-61969
Change-Id: Ie91cc9a56dbc3c676472c614d4e633d7721b8481
Reviewed-by: Lars Knoll <lars.knoll@qt.io>
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
This commit is contained in:
Jüri Valdmann 2018-05-03 13:25:06 +02:00
parent de40f24706
commit d3935cbd71
4 changed files with 5 additions and 1 deletions

View File

@ -450,7 +450,7 @@ static inline void copyString(char *dest, const QString &str, bool compress)
/*
Base is the base class for both Object and Array. Both classe work more or less the same way.
Base is the base class for both Object and Array. Both classes work more or less the same way.
The class starts with a header (defined by the struct below), then followed by data (the data for
values in the Array case and Entry's (see below) for objects.

View File

@ -210,6 +210,9 @@ QJsonDocument QJsonDocument::fromRawData(const char *data, int size, DataValidat
return QJsonDocument();
}
if (size < (int)(sizeof(QJsonPrivate::Header) + sizeof(QJsonPrivate::Base)))
return QJsonDocument();
QJsonPrivate::Data *d = new QJsonPrivate::Data((char *)data, size);
d->ownsData = false;

View File

@ -1863,6 +1863,7 @@ void tst_QtJson::invalidBinaryData()
QFile file(files.at(i).filePath());
file.open(QIODevice::ReadOnly);
QByteArray bytes = file.readAll();
bytes.squeeze();
QJsonDocument document = QJsonDocument::fromRawData(bytes.constData(), bytes.size());
QVERIFY(document.isNull());
}