Merge remote-tracking branch 'origin/5.7' into 5.8

Conflicts: mkspecs/common/linux-android.conf src/gui/opengl/qopengl.h src/network/socket/qnativesocketengine_winrt.cpp src/network/socket/qnativesocketengine_winrt_p.h src/plugins/platforms/cocoa/qcocoawindow.mm src/plugins/platforms/eglfs/api/qeglfsintegration.cpp src/plugins/platforms/linuxfb/qlinuxfbintegration.cpp sync.profile Change-Id: If70aaf2c49df91157b864cf0d7d9513546c9bec4
author: Liang Qi <liang.qi@qt.io> 2016-11-16 07:37:38 +0100
committer: Liang Qi <liang.qi@qt.io> 2016-11-16 12:35:36 +0100
commit: 90c425642dfeae4564b43dacf15f80479962e910 (patch)
tree: 7e51683195210b3c70c04a8a0753ee272af1cd4c /src/corelib/json/qjson.cpp
parent: 1a43199fcea1bcec1ebf1a1a12cd3dcb942d67b4 (diff)
parent: 9808b53fde1dfc65ad3757cc6720e430c3cc89a2 (diff)
1 files changed, 13 insertions, 12 deletions
diff --git a/src/corelib/json/qjson.cpp b/src/corelib/json/qjson.cpp
index e9a1366af0..d509349a51 100644
--- a/src/corelib/json/qjson.cpp
+++ b/src/corelib/json/qjson.cpp
@@ -135,10 +135,12 @@ bool Data::valid() const
         return false;
 
     bool res = false;
-    if (header->root()->is_object)
-        res = static_cast<Object *>(header->root())->isValid();
+    Base *root = header->root();
+    int maxSize = alloc - sizeof(Header);
+    if (root->is_object)
+        res = static_cast<Object *>(root)->isValid(maxSize);
     else
-        res = static_cast<Array *>(header->root())->isValid();
+        res = static_cast<Array *>(root)->isValid(maxSize);
 
     return res;
 }
@@ -223,9 +225,9 @@ int Object::indexOf(QLatin1String key, bool *exists) const
     return min;
 }
 
-bool Object::isValid() const
+bool Object::isValid(int maxSize) const
 {
-    if (tableOffset + length*sizeof(offset) > size)
+    if (size > (uint)maxSize || tableOffset + length*sizeof(offset) > size)
         return false;
 
     QString lastKey;
@@ -234,8 +236,7 @@ bool Object::isValid() const
         if (entryOffset + sizeof(Entry) >= tableOffset)
             return false;
         Entry *e = entryAt(i);
-        int s = e->size();
-        if (table()[i] + s > tableOffset)
+        if (!e->isValid(tableOffset - table()[i]))
             return false;
         QString key = e->key();
         if (key < lastKey)
@@ -249,9 +250,9 @@ bool Object::isValid() const
 
 
 
-bool Array::isValid() const
+bool Array::isValid(int maxSize) const
 {
-    if (tableOffset + length*sizeof(offset) > size)
+    if (size > (uint)maxSize || tableOffset + length*sizeof(offset) > size)
         return false;
 
     for (uint i = 0; i < length; ++i) {
@@ -359,12 +360,12 @@ bool Value::isValid(const Base *b) const
     int s = usedStorage(b);
     if (!s)
         return true;
-    if (s < 0 || offset + s > (int)b->tableOffset)
+    if (s < 0 || s > (int)b->tableOffset - offset)
         return false;
     if (type == QJsonValue::Array)
-        return static_cast<Array *>(base(b))->isValid();
+        return static_cast<Array *>(base(b))->isValid(s);
     if (type == QJsonValue::Object)
-        return static_cast<Object *>(base(b))->isValid();
+        return static_cast<Object *>(base(b))->isValid(s);
     return true;
 }
author	Liang Qi <liang.qi@qt.io>	2016-11-16 07:37:38 +0100
committer	Liang Qi <liang.qi@qt.io>	2016-11-16 12:35:36 +0100
commit	90c425642dfeae4564b43dacf15f80479962e910 (patch)
tree	7e51683195210b3c70c04a8a0753ee272af1cd4c /src/corelib/json/qjson.cpp
parent	1a43199fcea1bcec1ebf1a1a12cd3dcb942d67b4 (diff)
parent	9808b53fde1dfc65ad3757cc6720e430c3cc89a2 (diff)