QIODevice: fix data loss when reading large amounts from sequential devices

In certain situations, when reading a large amount of data from
sequential devices with QIODevice::readAll(), content was lost when
passing a qint64 value > QByteArray::MaxSize into QByteArray::resize(),
which takes an int. The result of the conversion to int is either negative or
calculated mod 2^32. In any case, it will at some point be < QByteArray::size(),
which prompts QByteArray to truncate, losing already-read content.

Fix by adding an explicit size check before calling QByteArray::resize().

This shows once more that an API that uses int for sizes is dangerous.
Esp. on 64-bit platforms.

Change-Id: I30fbfad0bf37476c34141b6f3786e7e0fc8e1e74
Reviewed-by: Oswald Buddenhagen <oswald.buddenhagen@theqtcompany.com>

1 files changed, 4 insertions, 0 deletions

diff --git a/src/corelib/io/qiodevice.cpp b/src/corelib/io/qiodevice.cpp
index 47484ad596..e73a200fb4 100644
--- a/src/corelib/io/qiodevice.cpp
+++ b/src/corelib/io/qiodevice.cpp
@@ -989,6 +989,10 @@ QByteArray QIODevice::readAll()
         // Size is unknown, read incrementally.
         qint64 readResult;
         do {
+            if (quint64(readBytes) + QIODEVICE_BUFFERSIZE > QByteArray::MaxSize) {
+                // If resize would fail, don't read more, return what we have.
+                break;
+            }
             result.resize(readBytes + QIODEVICE_BUFFERSIZE);
             readResult = read(result.data() + readBytes, QIODEVICE_BUFFERSIZE);
             if (readResult > 0 || readBytes == 0)