path: root/dist/changes-5.9.6
diff options
authorJüri Valdmann <>2018-05-08 15:30:37 +0200
committerJüri Valdmann <>2018-05-16 08:54:57 +0000
commitf24bd1b8183ec9cc4e239dc560072d3896ec61a1 (patch)
tree4bf2114a7afe61d6d185e6d418f950e567942fba /dist/changes-5.9.6
parent60a7d578c8add335900d4d1006b3b2c49f141873 (diff)
QJsonDocument: Avoid overflow of string lengths
The added test case contains the binary JSON equivalent of ["ž"] with the modification that the string's length has been set to INT_MAX. In Value::usedStorage this length is used through the pointer d like so s = sizeof(int) + sizeof(ushort) * qFromLittleEndian(*(int *)d); Because 2 * INT_MAX is UINT_MAX-1, the expression as a whole evaluates to 2, which is considered a valid storage size. However, when converting this binary JSON into ordinary JSON we will attempt to construct a QString of length INT_MAX. Fixed by using String::isValid instead of Value::usedStorage. This method already takes care to avoid the overflow problem. Additionally, I've tried in this patch to clarify the behavior of Value::isValid a bit by writing it in a style that is hopefully more amenable to structural induction. Finally, the test case added in my previous patch had the wrong file extension and is renamed in this one. Task-number: QTBUG-61969 Change-Id: I45d891f2467a71d8d105822ef7eb1a73c3efa67a Reviewed-by: Thiago Macieira <> (cherry picked from commit 8e47474baf06b3884e9173302395dd25fc09eba9) Reviewed-by: Lars Knoll <>
Diffstat (limited to 'dist/changes-5.9.6')
0 files changed, 0 insertions, 0 deletions