summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorOswald Buddenhagen <oswald.buddenhagen@qt.io>2016-12-19 13:50:17 +0100
committerOswald Buddenhagen <oswald.buddenhagen@gmx.de>2019-01-14 08:52:15 +0000
commitc365fa49d85810c6ad09bb5f43b5081cd7543bf1 (patch)
tree12f6db2fe9dfae85734d5e188cfb683dd9ba3e4b
parent6178913a234dfbb5a24c9128f6460f070fb7ce14 (diff)
fix out-of-bounds access on trailing percent sign in tr() argument
tr() recognizes %n and %Ln. it offers no way to escape lone percent signs, which implies that they must be interpreted verbatim, which is what the code actually does. except that it would run off the end if the % appeared at the end of the string. Fixes: QTBUG-57171 Done-with: Mateusz Starzycki <mstarzycki@gmail.com> Change-Id: Icf81925c482be1ea66ec8daafb3e92ad17ea7fab Reviewed-by: Oswald Buddenhagen <oswald.buddenhagen@gmx.de>
-rw-r--r--src/corelib/kernel/qcoreapplication.cpp4
-rw-r--r--tests/auto/corelib/kernel/qcoreapplication/tst_qcoreapplication.cpp6
-rw-r--r--tests/auto/corelib/kernel/qcoreapplication/tst_qcoreapplication.h1
3 files changed, 11 insertions, 0 deletions
diff --git a/src/corelib/kernel/qcoreapplication.cpp b/src/corelib/kernel/qcoreapplication.cpp
index 3c8b0f947c..b6b4da3885 100644
--- a/src/corelib/kernel/qcoreapplication.cpp
+++ b/src/corelib/kernel/qcoreapplication.cpp
@@ -2097,9 +2097,13 @@ static void replacePercentN(QString *result, int n)
int len = 0;
while ((percentPos = result->indexOf(QLatin1Char('%'), percentPos + len)) != -1) {
len = 1;
+ if (percentPos + len == result->length())
+ break;
QString fmt;
if (result->at(percentPos + len) == QLatin1Char('L')) {
++len;
+ if (percentPos + len == result->length())
+ break;
fmt = QLatin1String("%L1");
} else {
fmt = QLatin1String("%1");
diff --git a/tests/auto/corelib/kernel/qcoreapplication/tst_qcoreapplication.cpp b/tests/auto/corelib/kernel/qcoreapplication/tst_qcoreapplication.cpp
index a53501b9dd..6adb393ddd 100644
--- a/tests/auto/corelib/kernel/qcoreapplication/tst_qcoreapplication.cpp
+++ b/tests/auto/corelib/kernel/qcoreapplication/tst_qcoreapplication.cpp
@@ -928,6 +928,12 @@ void tst_QCoreApplication::threadedEventDelivery()
thread.start();
QVERIFY(thread.wait(1000));
QCOMPARE(receiver.recordedEvents.contains(QEvent::User + 1), eventsReceived);
+
+}
+
+void tst_QCoreApplication::testTrWithPercantegeAtTheEnd()
+{
+ QCoreApplication::translate("testcontext", "this will crash%", "testdisamb", 3);
}
#if QT_CONFIG(library)
diff --git a/tests/auto/corelib/kernel/qcoreapplication/tst_qcoreapplication.h b/tests/auto/corelib/kernel/qcoreapplication/tst_qcoreapplication.h
index 105cca5174..2a23cf0751 100644
--- a/tests/auto/corelib/kernel/qcoreapplication/tst_qcoreapplication.h
+++ b/tests/auto/corelib/kernel/qcoreapplication/tst_qcoreapplication.h
@@ -59,6 +59,7 @@ private slots:
void applicationEventFilters_auxThread();
void threadedEventDelivery_data();
void threadedEventDelivery();
+ void testTrWithPercantegeAtTheEnd();
#if QT_CONFIG(library)
void addRemoveLibPaths();
#endif