QJsonDocument: Reject objects containing themselves in binary JSON

The added test case is a binary JSON file describing an array which contains
itself. This file passes validation even though attempting to convert it to
plain JSON leads to an infinite loop. Fixed by rejecting it in validation.

Task-number: QTBUG-61969
Change-Id: Ib4472e9777d09840c30c384b24294e4744b02045
Reviewed-by: Lars Knoll <lars.knoll@qt.io>
(cherry picked from commit 3fc5500b4f2a8431ac013520e9faf606e893b39a)
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
(cherry picked from commit 7dcb413858dfea8487c2f44b5c64f160b85cd5a0)

2 files changed, 3 insertions, 3 deletions

diff --git a/src/corelib/json/qjson.cpp b/src/corelib/json/qjson.cpp
index c6fff068ce..d57cb7a8ec 100644
--- a/src/corelib/json/qjson.cpp
+++ b/src/corelib/json/qjson.cpp
@@ -299,7 +299,7 @@ int Value::usedStorage(const Base *b) const
 
 bool Value::isValid(const Base *b) const
 {
-    int offset = 0;
+    int offset = -1;
     switch (type) {
     case QJsonValue::Double:
         if (latinOrIntValue)
@@ -316,9 +316,9 @@ bool Value::isValid(const Base *b) const
         break;
     }
 
-    if (!offset)
+    if (offset == -1)
         return true;
-    if (offset + sizeof(uint) > b->tableOffset)
+    if (offset + sizeof(uint) > b->tableOffset || offset < (int)sizeof(Base))
         return false;
 
     int s = usedStorage(b);
diff --git a/tests/auto/corelib/json/invalidBinaryData/39.bjson b/tests/auto/corelib/json/invalidBinaryData/39.bjson
new file mode 100644
index 0000000000..c6025aa9eb
--- /dev/null
+++ b/tests/auto/corelib/json/invalidBinaryData/39.bjson