QDataStream::readBytes: guard against integer overflow

The step variable changes in the geometric progression, which means
that it may overflow at some point. Since it is a qsizetype (signed 64
or 32 bit integer), the overflow would be UB, so we need to avoid it.
Add an extra check that the step is lower than the safe threshold
before increasing it.

Amends a1bfac287ee5d3719646d68dc91dc8e8e4cec04e.

Pick-to: 6.7
Change-Id: I6097986e614937fa88b31b3dd1e53ecff22533d7
Reviewed-by: Marc Mutz <marc.mutz@qt.io>
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>

1 files changed, 3 insertions, 1 deletions

diff --git a/src/corelib/serialization/qdatastream.cpp b/src/corelib/serialization/qdatastream.cpp
index 6dcc0890e3..329be4a294 100644
--- a/src/corelib/serialization/qdatastream.cpp
+++ b/src/corelib/serialization/qdatastream.cpp
@@ -1090,6 +1090,7 @@ QDataStream &QDataStream::readBytes(char *&s, qint64 &l)
     qsizetype allocated = 0;
     std::unique_ptr<char[]> curBuf = nullptr;
 
+    constexpr qsizetype StepIncreaseThreshold = std::numeric_limits<qsizetype>::max() / 2;
     do {
         qsizetype blockSize = qMin(step, len - allocated);
         const qsizetype n = allocated + blockSize + 1;
@@ -1098,7 +1099,8 @@ QDataStream &QDataStream::readBytes(char *&s, qint64 &l)
         if (readBlock(curBuf.get() + allocated, blockSize) != blockSize)
             return *this;
         allocated += blockSize;
-        step *= 2;
+        if (step <= StepIncreaseThreshold)
+            step *= 2;
     } while (allocated < len);
 
     s = curBuf.release();