ObjGeometryLoader: fix out-of-bounds accesses

We were reading values before the beginning of the array. "Conditional
jump or move depends on uninitialised value(s)"

Check the value of lineSize before using it as an index.

Fixes: QTBUG-97751
Pick-to: 6.5 6.6
Change-Id: I57c4f36973f3d5a6f9aecf4d22626af3e29f71f4
Reviewed-by: Mike Krus <mike.krus@kdab.com>

1 files changed, 10 insertions, 1 deletions

diff --git a/src/plugins/geometryloaders/default/objgeometryloader.cpp b/src/plugins/geometryloaders/default/objgeometryloader.cpp
index dc41ca492..e741426c1 100644
--- a/src/plugins/geometryloaders/default/objgeometryloader.cpp
+++ b/src/plugins/geometryloaders/default/objgeometryloader.cpp
@@ -66,10 +66,19 @@ bool ObjGeometryLoader::doLoad(QIODevice *ioDev, const QString &subMesh)
         if (lineSize > 0 && line[0] != '#') {
             if (line[lineSize - 1] == '\n')
                 --lineSize; // chop newline
+            if (lineSize <= 0)
+                continue;
+
             if (line[lineSize - 1] == '\r')
                 --lineSize; // chop newline also for CRLF format
-            while (line[lineSize - 1] == ' ' || line[lineSize - 1] == '\t')
+            if (lineSize <= 0)
+                continue;
+
+            while (lineSize > 0 && (line[lineSize - 1] == ' ' || line[lineSize - 1] == '\t')) {
                 --lineSize; // chop trailing spaces
+            }
+            if (lineSize <= 0)
+                continue;
 
             const ByteArraySplitter tokens(line, line + lineSize, ' ', Qt::SkipEmptyParts);