diff options
author | Jüri Valdmann <juri.valdmann@qt.io> | 2018-05-03 13:25:06 +0200 |
---|---|---|
committer | Jüri Valdmann <juri.valdmann@qt.io> | 2018-05-16 08:54:42 +0000 |
commit | 961b8f51a2e8198fce12e8784b1edae6b3f6f67b (patch) | |
tree | 98133506798ae717c0890aac5fd2f2154c5f0e50 /src/corelib/json/qjsondocument.cpp | |
parent | 8bf2cba18638102d9887df2a62f2a37774569a5e (diff) |
QJsonDocument::fromRawData: Fix out-of-bounds access
This method takes a pointer+size pair, but begins reading through the pointer
without first checking the size parameter. Fixed by checking the size parameter.
A new test case is added with an empty binary json file. Although the test does
not fail under normal conditions, the problem can be detected using valgrind or
AddressSanitizer.
Task-number: QTBUG-61969
Change-Id: Ie91cc9a56dbc3c676472c614d4e633d7721b8481
Reviewed-by: Lars Knoll <lars.knoll@qt.io>
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
(cherry picked from commit d3935cbd71171e1d8f3742cc3235ca0c38313ec8)
Diffstat (limited to 'src/corelib/json/qjsondocument.cpp')
-rw-r--r-- | src/corelib/json/qjsondocument.cpp | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/src/corelib/json/qjsondocument.cpp b/src/corelib/json/qjsondocument.cpp index ed454d5442..58cd01588f 100644 --- a/src/corelib/json/qjsondocument.cpp +++ b/src/corelib/json/qjsondocument.cpp @@ -188,6 +188,9 @@ QJsonDocument QJsonDocument::fromRawData(const char *data, int size, DataValidat return QJsonDocument(); } + if (size < (int)(sizeof(QJsonPrivate::Header) + sizeof(QJsonPrivate::Base))) + return QJsonDocument(); + QJsonPrivate::Data *d = new QJsonPrivate::Data((char *)data, size); d->ownsData = false; |