From 418734b9f4baaaadd289b6379701912e864330da Mon Sep 17 00:00:00 2001
From: Ulf Hermann <ulf.hermann@qt.io>
Date: Fri, 20 Apr 2018 12:00:36 +0200
Subject: Don't read past the end of the device when parsing tracing data

As the tracing data has its own length field, we need to check that
against the device's bytesAvailable() separately.

Change-Id: I9e6ed96967b0864f69dc8b1a01e7171589d2701f
Reviewed-by: Christian Kandeler <christian.kandeler@qt.io>
---
 app/perfdata.cpp        | 21 +++++++++++++--------
 app/perfdata.h          |  1 +
 app/perftracingdata.cpp |  4 +++-
 3 files changed, 17 insertions(+), 9 deletions(-)

diff --git a/app/perfdata.cpp b/app/perfdata.cpp
index ce67043..f9407f6 100644
--- a/app/perfdata.cpp
+++ b/app/perfdata.cpp
@@ -147,15 +147,20 @@ PerfData::ReadStatus PerfData::processEvents(QDataStream &stream)
         if (contentSize == 4) {
             // The content is actually another 4 byte integer,
             // describing the size of the real content that follows.
-            PerfTracingData tracing;
-            quint32 size;
-            stream >> size;
-            tracing.setSize(size);
-            stream >> tracing;
-            m_destination->tracing(tracing);
+            if (m_tracingData.size() == 0) {
+                quint32 size;
+                stream >> size;
+                m_tracingData.setSize(size);
+            }
+            if (stream.device()->bytesAvailable() >= m_tracingData.size()) {
+                stream >> m_tracingData;
+                m_destination->tracing(m_tracingData);
+                m_tracingData = PerfTracingData();
+            } else {
+                return Rerun;
+            }
         } else {
-            // Maybe someone with a brain will fix this eventually ...
-            // then we'll hit this branch.
+            // contentSize is only 16bit. The tracing data frequently exceeds 2^16 bytes.
             qWarning() << "HEADER_TRACING_DATA with unexpected contentSize" << contentSize;
             stream.skipRawData(contentSize);
         }
diff --git a/app/perfdata.h b/app/perfdata.h
index 13d31a0..7daf794 100644
--- a/app/perfdata.h
+++ b/app/perfdata.h
@@ -488,6 +488,7 @@ private:
     const PerfHeader *m_header;
     PerfAttributes *m_attributes;
     PerfEventHeader m_eventHeader;
+    PerfTracingData m_tracingData;
 
     ReadStatus processEvents(QDataStream &stream);
     ReadStatus doRead();
diff --git a/app/perftracingdata.cpp b/app/perftracingdata.cpp
index c58eb99..a50069e 100644
--- a/app/perftracingdata.cpp
+++ b/app/perftracingdata.cpp
@@ -242,8 +242,10 @@ bool PerfTracingData::readEventFormats(QDataStream &stream, const QByteArray &sy
             }
         }
 
-        if (!seenId)
+        if (!seenId) {
+            qWarning() << "No ID seen in event format";
             return false;
+        }
 
         m_eventFormats[id] = event;
     }
-- 
cgit v1.2.3