diff options
| author | Marc Mutz <marc.mutz@qt.io> | 2021-12-16 07:21:46 +0100 |
|---|---|---|
| committer | Qt Cherry-pick Bot <cherrypick_bot@qt-project.org> | 2021-12-16 20:18:24 +0000 |
| commit | b5cb79454a55df4c7fd6c573fef80a8d480817f9 (patch) | |
| tree | e15df3dd2280a3c32dc5b80f7aab6a9a04e5bebb /src/corelib/text | |
| parent | 4e30362dd0e965903c10281d948fd85b5a1cd001 (diff) | |
QString: fix UB (pointer arithmetic on nullptr) in qLastIndexOf
Says ubsan:
qstring.cpp:10484:17: runtime error: applying non-zero offset 18446744073709551614 to null pointer
If we search for a null needle, we stored 0-1 in a size_t variable and
unconditionally appied that offset to the needle's data() pointer. That
being the nullptr, ubsan complained.
To fix, set sl_minus_1 to 0 if it would underflow. In that case,
sl_minus_1, n, and h, are not used, anyway, so their values don't
matter as long as we don't invoke UB.
Change-Id: Idca4e845c77838dfc84acdb68bbbc98382b5e1d5
Reviewed-by: Sona Kurazyan <sona.kurazyan@qt.io>
Reviewed-by: Anton Kudryavtsev <antkudr@mail.ru>
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
(cherry picked from commit 6830bdc1401e55680859b74036e9e9d90c359028)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
Diffstat (limited to 'src/corelib/text')
| -rw-r--r-- | src/corelib/text/qstring.cpp | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/corelib/text/qstring.cpp b/src/corelib/text/qstring.cpp index b89ce78ea1..728469ba9e 100644 --- a/src/corelib/text/qstring.cpp +++ b/src/corelib/text/qstring.cpp @@ -10395,7 +10395,7 @@ static qsizetype qLastIndexOf(Haystack haystack0, qsizetype from, const auto needle = needle0.data(); const auto *end = haystack; haystack += from; - const std::size_t sl_minus_1 = sl - 1; + const std::size_t sl_minus_1 = sl ? sl - 1 : 0; const auto *n = needle + sl_minus_1; const auto *h = haystack + sl_minus_1; std::size_t hashNeedle = 0, hashHaystack = 0; |