1berry/qtbase
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix QArrayData::allocate() to guard against integer overflows

Browse Source 
The proper solution with qCalculateBlockSize will come for Qt 5.7.

Change-Id: Ifea6e497f11a461db432ffff14490788fc522eb7
Reviewed-by: Olivier Goffart (Woboq GmbH) <ogoffart@woboq.com>
This commit is contained in:
Thiago Macieira 2016-04-26 14:56:32 -07:00
parent f1958dbbea
commit ef7b0df419
1 changed files with 10 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
src/corelib/tools/qarraydata.cpp
View File

@ -32,6 +32,7 @@
****************************************************************************/
#include <QtCore/qarraydata.h>
#include <QtCore/private/qnumeric_p.h>
#include <QtCore/private/qtools_p.h>
#include <stdlib.h>
@ -87,16 +88,22 @@ QArrayData *QArrayData::allocate(size_t objectSize, size_t alignment,
if (capacity > std::numeric_limits<size_t>::max() / objectSize)
return 0;
size_t alloc = objectSize * capacity;
size_t alloc;
if (mul_overflow(objectSize, capacity, &alloc))
return 0;
// Make sure qAllocMore won't overflow.
// Make sure qAllocMore won't overflow qAllocMore.
if (headerSize > size_t(MaxAllocSize) || alloc > size_t(MaxAllocSize) - headerSize)
return 0;
capacity = qAllocMore(int(alloc), int(headerSize)) / int(objectSize);
}
size_t allocSize = headerSize + objectSize * capacity;
size_t allocSize;
if (mul_overflow(objectSize, capacity, &allocSize))
return 0;
if (add_overflow(allocSize, headerSize, &allocSize))
return 0;
QArrayData *header = static_cast<QArrayData *>(::malloc(allocSize));
if (header) {