diff options
| author | Lars Knoll <lars.knoll@qt.io> | 2019-11-14 12:21:04 +0100 |
|---|---|---|
| committer | Lars Knoll <lars.knoll@qt.io> | 2019-12-07 14:18:35 +0100 |
| commit | cde2fde3f0ee1551b4907b3d8b82f0be5f20af25 (patch) | |
| tree | 72ff767da509db4eadf433d3e4b41287219c8678 /src/corelib/text/qbytearray.cpp | |
| parent | 551c665b7d3730e45e99dc87ccc144dd53f8e432 (diff) | |
Fix a use-after-free problem in QByteArray::replace
if the string pointed to by after is part of the QByteArray, we
were trying to protect against a use-after-free by copying
after. Unfortunately, it was not used later on in the code instead
of the original after.
Change-Id: I2f2263e4bb1855e802bba2fc08db34762c66887a
Reviewed-by: Simon Hausmann <simon.hausmann@qt.io>
Diffstat (limited to 'src/corelib/text/qbytearray.cpp')
| -rw-r--r-- | src/corelib/text/qbytearray.cpp | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/src/corelib/text/qbytearray.cpp b/src/corelib/text/qbytearray.cpp index fa328a6d26..d7fcfce90c 100644 --- a/src/corelib/text/qbytearray.cpp +++ b/src/corelib/text/qbytearray.cpp @@ -2351,7 +2351,7 @@ QByteArray &QByteArray::replace(const char *before, int bsize, const char *after if (bsize == asize) { if (bsize) { while ((index = matcher.indexIn(*this, index)) != -1) { - memcpy(d + index, after, asize); + memcpy(d + index, a, asize); index += bsize; } } @@ -2370,7 +2370,7 @@ QByteArray &QByteArray::replace(const char *before, int bsize, const char *after to = index; } if (asize) { - memcpy(d + to, after, asize); + memcpy(d + to, a, asize); to += asize; } index += bsize; @@ -2422,7 +2422,7 @@ QByteArray &QByteArray::replace(const char *before, int bsize, const char *after int moveto = insertstart + asize; memmove(d + moveto, d + movestart, (moveend - movestart)); if (asize) - memcpy(d + insertstart, after, asize); + memcpy(d + insertstart, a, asize); moveend = movestart - bsize; } } |