diff options
author | Marc Mutz <marc.mutz@qt.io> | 2021-12-16 10:00:47 +0100 |
---|---|---|
committer | Marc Mutz <marc.mutz@qt.io> | 2021-12-17 12:34:27 +0100 |
commit | c31fecd27fa1ca0bebc96d39ca01ff86578f8d7f (patch) | |
tree | e600310bbf51ec62c6ad952c197b7510ec4ce169 /src/corelib/text/qbytearray.cpp | |
parent | 0c39e5c76d5a04b1e710d9038332dc21ad323bab (diff) |
QByteArray: fix UB (precondition violation) in replace()
If after.isNull(), then we called memcpy with a nullptr, which is UB,
even if the size is zero, too.
memmove() has the same precondition.
Fix by guarding the memcpy() call with an explicit length check.
The Qt 5.15 code is sufficiently different to not attempt to pick
there.
Pick-to: 6.3 6.2
Change-Id: I86a2f00ede6ca8fab8d4222f84dccf375c4a2194
Reviewed-by: Fabian Kosmale <fabian.kosmale@qt.io>
Reviewed-by: MÃ¥rten Nordheim <marten.nordheim@qt.io>
Diffstat (limited to 'src/corelib/text/qbytearray.cpp')
-rw-r--r-- | src/corelib/text/qbytearray.cpp | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/src/corelib/text/qbytearray.cpp b/src/corelib/text/qbytearray.cpp index 7562548bad..a03462561f 100644 --- a/src/corelib/text/qbytearray.cpp +++ b/src/corelib/text/qbytearray.cpp @@ -2169,8 +2169,10 @@ QByteArray &QByteArray::replace(qsizetype pos, qsizetype len, QByteArrayView aft return replace(pos, len, QByteArrayView{copy}); } if (len == after.size() && (pos + len <= size())) { + // same size: in-place replacement possible detach(); - memcpy(d.data() + pos, after.data(), len*sizeof(char)); + if (len > 0) + memcpy(d.data() + pos, after.data(), len*sizeof(char)); return *this; } else { // ### optimize me |