QJsonDocument: Validate also zero-length objects

The added test case is the binary JSON equivalent of

    {"a":{"š":null}}

with two modifications. First, the length of the string "š" has been corrupted
to 0xFFFFFF00. Second and more import, the Base::size field of the inner object
has been reset to 0.

On its own the first modification would normally trigger a validation error.
However, due to the second modification the Value::usedStorage for the inner
object evaluates to 0, completely disabling all further validation of the
object's contents.

Attempting to convert this binary JSON into standard JSON will lead to the JSON
writer trying to construct a QString of length 0xFFFFFF00.

Fixed by validating also objects with usedStorage == 0.

Task-number: QTBUG-61969
Change-Id: I5e59383674dec9be89361759572c0d91d4e16e01
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
(cherry picked from commit 93e0ff037e3e4d72d404c26b8e957092d5f88652)
Reviewed-by: Lars Knoll <lars.knoll@qt.io>

2 files changed, 0 insertions, 2 deletions

diff --git a/src/corelib/json/qjson.cpp b/src/corelib/json/qjson.cpp
index b483cc2d8c..944c7695c6 100644
--- a/src/corelib/json/qjson.cpp
+++ b/src/corelib/json/qjson.cpp
@@ -358,8 +358,6 @@ bool Value::isValid(const Base *b) const
         return false;
 
     int s = usedStorage(b);
-    if (!s)
-        return true;
     if (s < 0 || s > (int)b->tableOffset - offset)
         return false;
     if (type == QJsonValue::Array)
diff --git a/tests/auto/corelib/json/invalidBinaryData/40.json b/tests/auto/corelib/json/invalidBinaryData/40.json
new file mode 100644
index 0000000000..277096f8cb
--- /dev/null
+++ b/tests/auto/corelib/json/invalidBinaryData/40.json