diff options
author | Denis Dzyubenko <denis.dzyubenko@nokia.com> | 2012-01-11 15:13:30 +0100 |
---|---|---|
committer | Denis Dzyubenko <denis.dzyubenko@nokia.com> | 2012-01-11 18:15:02 +0100 |
commit | 163726cf946bcf519bf17ab747c04363e056041e (patch) | |
tree | 3d46390882dbfeb4c41dc7fe2503bbba701c4332 /src | |
parent | 763d19bd197e9c74f9b7775f22abf73b7786eeef (diff) |
Fixed object validation in a boundary case
When a latin1 string stored that has only 2 characters or less, the size of the
data is 2+2 (2 bytes for the string length and 2 bytes for the content), so it
is quite possible that the table is located right after the data.
It should be safe to check offset+sizeof(uit) > tableOffset even for shorter
strings because values and table is always aligned, hence even for an empty
string, it will take 4 bytes.
Change-Id: I859ae0be46ebab38feeaa6aa22fbc31f2f95d443
Sanity-Review: Qt Sanity Bot <qt_sanity_bot@ovi.com>
Reviewed-by: Lars Knoll <lars.knoll@nokia.com>
Diffstat (limited to 'src')
-rw-r--r-- | src/qjson.cpp | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/qjson.cpp b/src/qjson.cpp index 5936949..41d0144 100644 --- a/src/qjson.cpp +++ b/src/qjson.cpp @@ -270,7 +270,7 @@ bool Value::isValid(const Base *b) const if (!offset) return true; - if (offset + sizeof(uint) >= b->tableOffset) + if (offset + sizeof(uint) > b->tableOffset) return false; int s = usedStorage(b); |