ObjGeometryLoader: fix out-of-bounds accesses

We were reading values before the beginning of the array. "Conditional
jump or move depends on uninitialised value(s)"

Check the value of lineSize before using it as an index.

Fixes: QTBUG-97751
Change-Id: I57c4f36973f3d5a6f9aecf4d22626af3e29f71f4
Reviewed-by: Mike Krus <mike.krus@kdab.com>
(cherry picked from commit c1c07cb434fe4ead401e70d4fae7000ba6c50c76)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>

1 files changed, 10 insertions, 1 deletions

diff --git a/src/plugins/geometryloaders/default/objgeometryloader.cpp b/src/plugins/geometryloaders/default/objgeometryloader.cpp
index 264c951c3..740b5916b 100644
--- a/src/plugins/geometryloaders/default/objgeometryloader.cpp
+++ b/src/plugins/geometryloaders/default/objgeometryloader.cpp
@@ -66,10 +66,19 @@ bool ObjGeometryLoader::doLoad(QIODevice *ioDev, const QString &subMesh)
         if (lineSize > 0 && line[0] != '#') {
             if (line[lineSize - 1] == '\n')
                 --lineSize; // chop newline
+            if (lineSize <= 0)
+                continue;
+
             if (line[lineSize - 1] == '\r')
                 --lineSize; // chop newline also for CRLF format
-            while (line[lineSize - 1] == ' ' || line[lineSize - 1] == '\t')
+            if (lineSize <= 0)
+                continue;
+
+            while (lineSize > 0 && (line[lineSize - 1] == ' ' || line[lineSize - 1] == '\t')) {
                 --lineSize; // chop trailing spaces
+            }
+            if (lineSize <= 0)
+                continue;
 
             const ByteArraySplitter tokens(line, line + lineSize, ' ', Qt::SkipEmptyParts);