diff options
author | Joerg Bornemann <joerg.bornemann@qt.io> | 2018-08-01 12:17:09 +0200 |
---|---|---|
committer | Joerg Bornemann <joerg.bornemann@qt.io> | 2018-08-01 11:15:50 +0000 |
commit | 5dc6209478e070b885acc317dccf5c561ad61ecb (patch) | |
tree | d3328b5b266ad80fe574dd60f45f866f71bc0e9b | |
parent | 27a174eb70490f1d40637dfe4031e73c8f0f0c3c (diff) |
Fix OOM crash in QRC scanner
We implicitely created a QByteArray with the file content without
passing the file size. This would result in copying the whole mmapped
file into memory, and potentially much more if there's no terminating
null byte.
Fix this by using QByteArray::fromRawData which we pass the correct file
size and which doesn't copy the data.
Task-number: QBS-1375
Change-Id: I35c4cceba64343550094c29298ff9b3617718dac
Reviewed-by: Christian Kandeler <christian.kandeler@qt.io>
-rw-r--r-- | src/plugins/scanner/qt/qtscanner.cpp | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/src/plugins/scanner/qt/qtscanner.cpp b/src/plugins/scanner/qt/qtscanner.cpp index 5a790efc1..51faadab3 100644 --- a/src/plugins/scanner/qt/qtscanner.cpp +++ b/src/plugins/scanner/qt/qtscanner.cpp @@ -119,7 +119,8 @@ static void *openScannerQrc(const unsigned short *filePath, const char *fileTags int r = fstat(opaque->fd, &s); if (r != 0) return nullptr; - opaque->mapl = s.st_size; + const int fileSize = static_cast<int>(s.st_size); + opaque->mapl = fileSize; void *map = mmap(0, s.st_size, PROT_READ, MAP_PRIVATE, opaque->fd, 0); if (map == nullptr) @@ -129,13 +130,14 @@ static void *openScannerQrc(const unsigned short *filePath, const char *fileTags if (!opaque->file->open(QFile::ReadOnly)) return nullptr; - uchar *map = opaque->file->map(0, opaque->file->size()); + const int fileSize = opaque->file->size(); + uchar *map = opaque->file->map(0, fileSize); if (!map) return nullptr; #endif opaque->map = reinterpret_cast<char *>(map); - opaque->xml = new QXmlStreamReader(opaque->map); + opaque->xml = new QXmlStreamReader(QByteArray::fromRawData(opaque->map, fileSize)); return static_cast<void *>(opaque.release()); } |