QCborValue: catch overflow in QByteArray when decoding chunked strings

We checked against integer overflow, but not against overflowing the QByteArray size limit. That caused a std::bad_alloc to be thrown, which is bad when decoding unknown data. QCborStreamReader wasn't affected, since it doesn't merge chunks. Change-Id: I99ab0f318b1c43b89888fffd160c36f495fada87 Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
author: Thiago Macieira <thiago.macieira@intel.com> 2020-05-05 11:59:52 -0700
committer: Thiago Macieira <thiago.macieira@intel.com> 2020-05-07 07:39:26 -0700
commit: 798492ccee75a841dfec0e669a409515f3462350 (patch)
tree: 3e278d7580106e7bcd29fb027979138bd8a3f89e /src/corelib/serialization
parent: 66908badaca7bd258c00103bc388f0ce3bcf7322 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/src/corelib/serialization/qcborvalue.cpp b/src/corelib/serialization/qcborvalue.cpp
index 3bca15d562..89a928d348 100644
--- a/src/corelib/serialization/qcborvalue.cpp
+++ b/src/corelib/serialization/qcborvalue.cpp
@@ -1636,7 +1636,7 @@ void QCborContainerPrivate::decodeStringFromCbor(QCborStreamReader &reader)
         if (len == rawlen) {
             auto oldSize = data.size();
             auto newSize = oldSize;
-            if (!add_overflow(newSize, len, &newSize)) {
+            if (!add_overflow(newSize, len, &newSize) && newSize < MaxByteArraySize) {
                 if (newSize != oldSize)
                     data.resize(newSize);
author	Thiago Macieira <thiago.macieira@intel.com>	2020-05-05 11:59:52 -0700
committer	Thiago Macieira <thiago.macieira@intel.com>	2020-05-07 07:39:26 -0700
commit	798492ccee75a841dfec0e669a409515f3462350 (patch)
tree	3e278d7580106e7bcd29fb027979138bd8a3f89e /src/corelib/serialization
parent	66908badaca7bd258c00103bc388f0ce3bcf7322 (diff)