diff options
| author | Marc Mutz <marc.mutz@kdab.com> | 2020-05-11 09:39:19 +0200 |
|---|---|---|
| committer | Marc Mutz <marc.mutz@kdab.com> | 2020-05-13 21:26:35 +0200 |
| commit | c59665b0ec8cda1b00852f5f90fcad7fc88d1638 (patch) | |
| tree | 065e2d7f7b08cb283a323da55320be287e3cf80a /src/corelib/io | |
| parent | 72f6aaa7d4acbf7f7d11ca0723a47cf6bdb693b9 (diff) | |
QSettings: fix UB (signed integer overflow) on parsing long hex/oct escapes
The code did not limit the length of hex and octal escape sequences,
but used an int as the accumulator, which causes UB on overflow.
Due to the use of the QChar(int) constructor when appending escapeVal,
only the lowest 16 bit of the value were appended to the result
string. An test case encoding this behavior explicitly suggests this
is intended behavior.
It therefore suffices to use an unsigned 16-bit value as the
accumulator (unsigned, because that doesn't cause UB on overflow, 16
bits, because that's all we care for).
For future-proofing, use char16_t as the accumulator.
Pick-to: 5.15
Change-Id: I07e7ebf1f312276b2bbcb08e4360c66a3b9522ca
Reviewed-by: Lars Knoll <lars.knoll@qt.io>
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
Diffstat (limited to 'src/corelib/io')
| -rw-r--r-- | src/corelib/io/qsettings.cpp | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/src/corelib/io/qsettings.cpp b/src/corelib/io/qsettings.cpp index c9122e5962..2eeed3f57c 100644 --- a/src/corelib/io/qsettings.cpp +++ b/src/corelib/io/qsettings.cpp @@ -748,7 +748,7 @@ bool QSettingsPrivate::iniUnescapedStringList(const QByteArray &str, int from, i bool isStringList = false; bool inQuotedString = false; bool currentValueIsQuoted = false; - int escapeVal = 0; + char16_t escapeVal = 0; int i = from; char ch; @@ -854,7 +854,7 @@ StNormal: StHexEscape: if (i >= to) { - stringResult += QChar(escapeVal); + stringResult += escapeVal; goto end; } @@ -867,13 +867,13 @@ StHexEscape: ++i; goto StHexEscape; } else { - stringResult += QChar(escapeVal); + stringResult += escapeVal; goto StNormal; } StOctEscape: if (i >= to) { - stringResult += QChar(escapeVal); + stringResult += escapeVal; goto end; } @@ -884,7 +884,7 @@ StOctEscape: ++i; goto StOctEscape; } else { - stringResult += QChar(escapeVal); + stringResult += escapeVal; goto StNormal; } |