diff options
| author | Marc Mutz <marc.mutz@qt.io> | 2021-12-16 07:21:46 +0100 |
|---|---|---|
| committer | Marc Mutz <marc.mutz@qt.io> | 2021-12-16 18:45:07 +0100 |
| commit | 6830bdc1401e55680859b74036e9e9d90c359028 (patch) | |
| tree | 0abcebfb5193bdbb1cfe4bdf8ae47e2b919a29e0 /src/corelib/text | |
| parent | d1626ca6b0671efdb95041fa5ce09be449b253a0 (diff) | |
QString: fix UB (pointer arithmetic on nullptr) in qLastIndexOf
Says ubsan:
qstring.cpp:10484:17: runtime error: applying non-zero offset 18446744073709551614 to null pointer
If we search for a null needle, we stored 0-1 in a size_t variable and
unconditionally appied that offset to the needle's data() pointer. That
being the nullptr, ubsan complained.
To fix, set sl_minus_1 to 0 if it would underflow. In that case,
sl_minus_1, n, and h, are not used, anyway, so their values don't
matter as long as we don't invoke UB.
Pick-to: 6.3 6.2 5.15
Change-Id: Idca4e845c77838dfc84acdb68bbbc98382b5e1d5
Reviewed-by: Sona Kurazyan <sona.kurazyan@qt.io>
Reviewed-by: Anton Kudryavtsev <antkudr@mail.ru>
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
Diffstat (limited to 'src/corelib/text')
| -rw-r--r-- | src/corelib/text/qstring.cpp | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/corelib/text/qstring.cpp b/src/corelib/text/qstring.cpp index a00383b304..fe9585c607 100644 --- a/src/corelib/text/qstring.cpp +++ b/src/corelib/text/qstring.cpp @@ -10480,7 +10480,7 @@ static qsizetype qLastIndexOf(Haystack haystack0, qsizetype from, const auto needle = needle0.data(); const auto *end = haystack; haystack += from; - const std::size_t sl_minus_1 = sl - 1; + const std::size_t sl_minus_1 = sl ? sl - 1 : 0; const auto *n = needle + sl_minus_1; const auto *h = haystack + sl_minus_1; std::size_t hashNeedle = 0, hashHaystack = 0; |