summaryrefslogtreecommitdiffstats
path: root/src/corelib/json/qjsondocument.cpp
diff options
context:
space:
mode:
authorJüri Valdmann <juri.valdmann@qt.io>2018-05-03 13:25:06 +0200
committerJüri Valdmann <juri.valdmann@qt.io>2018-05-16 08:54:42 +0000
commit961b8f51a2e8198fce12e8784b1edae6b3f6f67b (patch)
tree98133506798ae717c0890aac5fd2f2154c5f0e50 /src/corelib/json/qjsondocument.cpp
parent8bf2cba18638102d9887df2a62f2a37774569a5e (diff)
QJsonDocument::fromRawData: Fix out-of-bounds access
This method takes a pointer+size pair, but begins reading through the pointer without first checking the size parameter. Fixed by checking the size parameter. A new test case is added with an empty binary json file. Although the test does not fail under normal conditions, the problem can be detected using valgrind or AddressSanitizer. Task-number: QTBUG-61969 Change-Id: Ie91cc9a56dbc3c676472c614d4e633d7721b8481 Reviewed-by: Lars Knoll <lars.knoll@qt.io> Reviewed-by: Thiago Macieira <thiago.macieira@intel.com> (cherry picked from commit d3935cbd71171e1d8f3742cc3235ca0c38313ec8)
Diffstat (limited to 'src/corelib/json/qjsondocument.cpp')
-rw-r--r--src/corelib/json/qjsondocument.cpp3
1 files changed, 3 insertions, 0 deletions
diff --git a/src/corelib/json/qjsondocument.cpp b/src/corelib/json/qjsondocument.cpp
index ed454d5442..58cd01588f 100644
--- a/src/corelib/json/qjsondocument.cpp
+++ b/src/corelib/json/qjsondocument.cpp
@@ -188,6 +188,9 @@ QJsonDocument QJsonDocument::fromRawData(const char *data, int size, DataValidat
return QJsonDocument();
}
+ if (size < (int)(sizeof(QJsonPrivate::Header) + sizeof(QJsonPrivate::Base)))
+ return QJsonDocument();
+
QJsonPrivate::Data *d = new QJsonPrivate::Data((char *)data, size);
d->ownsData = false;
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-08 04:51:07 +0000