Merge remote-tracking branch 'origin/5.6' into 5.7

Conflicts:
	mkspecs/features/qml_module.prf
	mkspecs/features/qt_common.prf
	src/gui/text/qzip.cpp
	src/plugins/platforms/cocoa/qnsview.mm
	src/plugins/platforms/windows/array.h
	src/testlib/qtestcase.cpp
	src/widgets/dialogs/qfilesystemmodel.h

Change-Id: Ie41c5868415b81f7693c80e045497035504bb210

1 files changed, 10 insertions, 3 deletions

diff --git a/src/corelib/tools/qarraydata.cpp b/src/corelib/tools/qarraydata.cpp
index 21ad799e25..bf336a8f31 100644
--- a/src/corelib/tools/qarraydata.cpp
+++ b/src/corelib/tools/qarraydata.cpp
@@ -38,6 +38,7 @@
 ****************************************************************************/
 
 #include <QtCore/qarraydata.h>
+#include <QtCore/private/qnumeric_p.h>
 #include <QtCore/private/qtools_p.h>
 
 #include <stdlib.h>
@@ -93,16 +94,22 @@ QArrayData *QArrayData::allocate(size_t objectSize, size_t alignment,
         if (capacity > std::numeric_limits<size_t>::max() / objectSize)
             return 0;
 
-        size_t alloc = objectSize * capacity;
+        size_t alloc;
+        if (mul_overflow(objectSize, capacity, &alloc))
+            return 0;
 
-        // Make sure qAllocMore won't overflow.
+        // Make sure qAllocMore won't overflow qAllocMore.
         if (headerSize > size_t(MaxAllocSize) || alloc > size_t(MaxAllocSize) - headerSize)
             return 0;
 
         capacity = qAllocMore(int(alloc), int(headerSize)) / int(objectSize);
     }
 
-    size_t allocSize = headerSize + objectSize * capacity;
+    size_t allocSize;
+    if (mul_overflow(objectSize, capacity, &allocSize))
+        return 0;
+    if (add_overflow(allocSize, headerSize, &allocSize))
+        return 0;
 
     QArrayData *header = static_cast<QArrayData *>(::malloc(allocSize));
     if (header) {