QUrl: fix parsing of empty IPv6 addresses

There's an assertion. Found by Google fuzz scan of CBOR data.

Change-Id: I55083c2909f64a1f8868fffd164f1ff3af71605b
Reviewed-by: David Faure <david.faure@kdab.com>
(cherry picked from commit 4a1091f489ac3fee9efd81b0f1ffca4275725610)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>

2 files changed, 8 insertions, 0 deletions

diff --git a/src/corelib/io/qurl.cpp b/src/corelib/io/qurl.cpp
index 2b5839923a..0d406c057e 100644
--- a/src/corelib/io/qurl.cpp
+++ b/src/corelib/io/qurl.cpp
@@ -1262,10 +1262,16 @@ static const QChar *parseIp6(QString &host, const QChar *begin, const QChar *end
         zoneId = decoded.mid(zoneIdPosition + zoneIdIdentifier.size());
         endBeforeZoneId = decoded.constBegin() + zoneIdPosition;
 
+        // was there anything after the zone ID separator?
         if (zoneId.isEmpty())
             return end;
     }
 
+    // did the address become empty after removing the zone ID?
+    // (it might have always been empty)
+    if (decoded.constBegin() == endBeforeZoneId)
+        return end;
+
     const QChar *ret = QIPAddressUtils::parseIp6(address, decoded.constBegin(), endBeforeZoneId);
     if (ret)
         return begin + (ret - decoded.constBegin());
diff --git a/tests/auto/corelib/io/qurl/tst_qurl.cpp b/tests/auto/corelib/io/qurl/tst_qurl.cpp
index 45a311230f..e46b6eb329 100644
--- a/tests/auto/corelib/io/qurl/tst_qurl.cpp
+++ b/tests/auto/corelib/io/qurl/tst_qurl.cpp
@@ -1909,6 +1909,8 @@ void tst_QUrl::ipv6_data()
     QTest::addColumn<bool>("isValid");
     QTest::addColumn<QString>("output");
 
+    QTest::newRow("empty") << "//[]" << false << "";
+
     QTest::newRow("case 1") << QString::fromLatin1("//[56:56:56:56:56:56:56:56]") << true
                             << "//[56:56:56:56:56:56:56:56]";
     QTest::newRow("case 2") << QString::fromLatin1("//[::56:56:56:56:56:56:56]") << true