Plugins: fix crash if the binary JSON data contains invalid size

Eight bytes into the Binary JSON header there's a 32-bit little-endian
size, which qJsonFromRawLibraryMetaData uses to determine the size of
the stored metadata. That value is passed as a size to QByteArray, which
means certain values could cause crashes due to being too big or via
sign-extension in 64-bit.

[ChangeLog][QtCore][QPluginLoader] Fixed an issue that could cause a
crash when certain damaged or corrupt plugin files were scanned.

Change-Id: I117816bf0f5e469b8d34fffd153dc5425cec39a7
Reviewed-by: Simon Hausmann <simon.hausmann@qt.io>

1 files changed, 3 insertions, 2 deletions

diff --git a/src/corelib/plugin/qlibrary.cpp b/src/corelib/plugin/qlibrary.cpp
index 31abeaffe4..5256a09ff2 100644
--- a/src/corelib/plugin/qlibrary.cpp
+++ b/src/corelib/plugin/qlibrary.cpp
@@ -317,7 +317,7 @@ static bool findPatternUnloaded(const QString &library, QLibraryPrivate *lib)
     if (pos >= 0) {
         if (hasMetaData) {
             const char *data = filedata + pos;
-            QJsonDocument doc = qJsonFromRawLibraryMetaData(data);
+            QJsonDocument doc = qJsonFromRawLibraryMetaData(data, qsizetype(fdlen));
             lib->metaData = doc.object();
             if (qt_debug_component())
                 qWarning("Found metadata in lib %s, metadata=\n%s\n",
@@ -691,7 +691,8 @@ static bool qt_get_metadata(QtPluginQueryVerificationDataFunction pfn, QLibraryP
     if (!szData)
         return false;
 
-    QJsonDocument doc = qJsonFromRawLibraryMetaData(szData);
+    // the data is already loaded, so the size doesn't matter
+    QJsonDocument doc = qJsonFromRawLibraryMetaData(szData, INT_MAX);
     if (doc.isNull())
         return false;
     priv->metaData = doc.object();