QJsonDocument: Reject objects containing themselves in binary JSON

The added test case is a binary JSON file describing an array which contains
itself. This file passes validation even though attempting to convert it to
plain JSON leads to an infinite loop. Fixed by rejecting it in validation.

Task-number: QTBUG-61969
Change-Id: Ib4472e9777d09840c30c384b24294e4744b02045
Reviewed-by: Lars Knoll <lars.knoll@qt.io>
(cherry picked from commit 3fc5500b4f2a8431ac013520e9faf606e893b39a)
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>

2 files changed, 3 insertions, 3 deletions

diff --git a/src/corelib/json/qjson.cpp b/src/corelib/json/qjson.cpp
index d509349a51..b483cc2d8c 100644
--- a/src/corelib/json/qjson.cpp
+++ b/src/corelib/json/qjson.cpp
@@ -335,7 +335,7 @@ int Value::usedStorage(const Base *b) const
 
 bool Value::isValid(const Base *b) const
 {
-    int offset = 0;
+    int offset = -1;
     switch (type) {
     case QJsonValue::Double:
         if (latinOrIntValue)
@@ -352,9 +352,9 @@ bool Value::isValid(const Base *b) const
         break;
     }
 
-    if (!offset)
+    if (offset == -1)
         return true;
-    if (offset + sizeof(uint) > b->tableOffset)
+    if (offset + sizeof(uint) > b->tableOffset || offset < (int)sizeof(Base))
         return false;
 
     int s = usedStorage(b);
diff --git a/tests/auto/corelib/json/invalidBinaryData/39.bjson b/tests/auto/corelib/json/invalidBinaryData/39.bjson
new file mode 100644
index 0000000000..c6025aa9eb
--- /dev/null
+++ b/tests/auto/corelib/json/invalidBinaryData/39.bjson