2598674694
After finding the end marker `---`, the code expected more characters beyond: typically at least a trailing newline. But QStringView::sliced() crashes if asked for a substring that starts at or beyond the end. Now it's restructured into a separate splitFrontMatter() function, and we're stricter, tolerating only `---\n` or `---\r\n` as marker lines. So the code is easier to prove correct, and we don't need to check characters between the end of the marker and the end of the line (to allow inadvertent whitespace, for example). If the markers are not valid, the Markdown parser will see them as thematic breaks, as it would have done if we were not extracting the Front Matter beforehand. Amends e10c9b5c0f8f194a79ce12dcf9b6b5cb19976942 and bffddc6a993c4b6b64922e8d327bdf32e0d4975a Credit to OSS-Fuzz which found this as issue 42533775. [ChangeLog][QtGui][Text] Fixed a heap buffer overflow in QTextMarkdownImporter. The first marker for Front Matter must begin at the first character of a Markdown document, and both markers must be exactly ---\n or ---\r\n. Done-with: Marc Mutz <marc.mutz@qt.io> Fixes: QTBUG-135284 Pick-to: dev 6.9 6.8 Change-Id: I66412d21ecc0c4eabde443d70865ed2abad86d89 Reviewed-by: Marc Mutz <marc.mutz@qt.io>